The threat actor known as Golden Chickens has been observed conducting a spearphishing campaign that leverages job-themed lures to compromise human resources employees with a backdoor dubbed ‘More_eggs’.
The attack chain involves Golden Chickens sending recruitment officers emails under the guise of obtaining potential employment with their company. Once trust is established, the target is directed to a remote website, from which they can download what appears to be the potential job candidate’s resume. However, the resume is fake, and once it is downloaded and executed, it installs the More_eggs backdoor.
The More_eggs backdoor is designed to harvest credentials, including those for bank, email, and IT-related accounts. It’s considered a malware-as-a-service (MaaS), which typically means that any threat actor who purchases a subscription can use the malware and access its command-and-control infrastructure, typically maintained by the MaaS operator as part of the service.
Source: The Hacker News
Analysis
HR employees, especially recruitment officers, are often targeted by threat actors since they are used to engaging with legitimate external contacts as part of their duties and functions.
As a result, employees in these roles should be provided with cybersecurity awareness training to help them spot potential attack vectors like downloading malware-laced fake resumes from remote hosts. Additionally, organizations should put in place technical controls that automatically scan files for potential threats before they are downloaded/executed by users.
While this campaign appears to be the work of a financially motivated cybercriminal, state-sponsored hacking groups, particularly from North Korea, are also known to use job-themed attack vectors to compromise networks of interest. On October 1, we reported that the NK threat actor known as Kimsuky deployed a clever job-themed phishing campaign supported by advanced social engineering tactics that compromised a German missile manufacturer.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats such as Golden Chickens’ use of the More_eggs backdoor. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends organizations scrutinize job application invites sent via email, messaging services such as WhatsApp, and social media and take into consideration that the individuals contacting them could be fake. Organizations should always make efforts to verify the potential candidate’s identity.
Field Effect users are encouraged to submit suspicious emails, including job offers and resumes, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles