eSentire  Discovers  Hackers  Spearphishing


            Hiring  Managers  with  Resumes  Poisoned


            with More_Eggs Malware


            By Keegan Keplinger, Research and Reporting Lead, Threat Response Unit, eSentire



            In March eSentire’s security research team, the Threat Response Unit (TRU), discovered that the stealthy
            more_eggs malware had re-emerged after being silent for nearly a year. More__eggs was being used in
            a phishing campaign where hackers were posing as job applicants and luring corporate hiring managers
            into  downloading  what  they  believed  were  resumes  from  potential  candidates.  However,  the  bogus
            documents contained the more_eggs malware.

            More_eggs is malicious software that contains several components, including one that is engineered to
            steal  valuable  credentials,  including  usernames  and  passwords  for  corporate  bank  accounts,  email
            accounts and IT administrator accounts. If a threat actor can obtain IT administration credentials for a
            company, they can easily exfiltrate data from the victim, spread their malware to other computer hosts
            within the organization’s network, via Microsoft TeamViewer, and encrypt a company’s files.


            The  Golden  Chickens  group  (aka  Venom  Spider)  is  believed  to  be  the  threat  operators  behind
            more_eggs. Thus far this year, TRU has discovered and shut down four separate security incidents
            relating to more_eggs. The organizations attacked include a U.S.-based aerospace/defense company; a
            large  UK-based  CPA  firm;  an  international  business  law  firm  based  out  of  Canada;  and  a  national
            Canadian staffing agency.




































                                                                                                            165