Page 165 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 165
eSentire Discovers Hackers Spearphishing
Hiring Managers with Resumes Poisoned
with More_Eggs Malware
By Keegan Keplinger, Research and Reporting Lead, Threat Response Unit, eSentire
In March eSentire’s security research team, the Threat Response Unit (TRU), discovered that the stealthy
more_eggs malware had re-emerged after being silent for nearly a year. More__eggs was being used in
a phishing campaign where hackers were posing as job applicants and luring corporate hiring managers
into downloading what they believed were resumes from potential candidates. However, the bogus
documents contained the more_eggs malware.
More_eggs is malicious software that contains several components, including one that is engineered to
steal valuable credentials, including usernames and passwords for corporate bank accounts, email
accounts and IT administrator accounts. If a threat actor can obtain IT administration credentials for a
company, they can easily exfiltrate data from the victim, spread their malware to other computer hosts
within the organization’s network, via Microsoft TeamViewer, and encrypt a company’s files.
The Golden Chickens group (aka Venom Spider) is believed to be the threat operators behind
more_eggs. Thus far this year, TRU has discovered and shut down four separate security incidents
relating to more_eggs. The organizations attacked include a U.S.-based aerospace/defense company; a
large UK-based CPA firm; an international business law firm based out of Canada; and a national
Canadian staffing agency.
165