Page 166 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 166
The 2022 More_Eggs Operation – a Déjà Vu of the 2021 LinkedIn More_Eggs Campaign?
Ironically, an eerily similar more_eggs campaign was uncovered by eSentire’s TRU in March 2021.
However, during that campaign, rather than posing as hopeful job candidates sending poisoned resumes,
the threat actors targeted professionals on LinkedIn seeking employment. They sent the job seekers .zip
files disguised as job offers. When the targets opened the zip file, it led to the installation of more_eggs.
The hackers tried enticing the targets into clicking on the zip file by naming it after the job seeker’s current
job title and adding “position” at the end.
For example, if the LinkedIn member’s job was listed as ‘Senior Account Executive—International
Freight,’ the malicious zip file would be titled ‘Senior Account Executive — International Freight position.’
TRU Disrupts More_Eggs Attacks Hitting an Aerospace/Defense Company, International Law
Firm, International CPA Firm and National Staffing Agency
When TRU discovered and shut down the four more_eggs incidents this year, each incident involved a
new variant of more_eggs.
TRU believes that the threat actors behind the 2022 more_ eggs campaign are not randomly targeting
companies. For example, the CPA firm and the staffing agency, both list a job posting on Indeed.com
and LinkedIn which match the title of the resume each hiring manager received. The aerospace/defense
company also had a job listed on ZipRecruiter.com which matches the title of the fake resume received.
The Innerworkings of More_Eggs
More_eggs is a sophisticated suite of malware components. One of those components is VenomLink (a
component used to trick the victim into installing TerraLoader). TerraLoader is an intermediate
component used to install numerous modules designed to take malicious actions such as credential theft,
lateral movement, and file encryption throughout a victim’s IT network. Here is a full breakdown:
• VenomLNK is a poisoned LNK file. Windows uses LNK files to automate program execution.
More_eggs uses a maliciously written LNK file to execute TerraLoader by tricking the user into
opening what they think is a document.
• TerraLoader loads the other modules from VenomLNK
• TerraPreter provides a Meterpreter (a Metasploit attack payload) shell in memory
• TerraStealer is an info stealing module used to exfiltrate sensitive data
• TerraTV allows threat actors to hijack TeamViewer for lateral movement
• TerraCrypt is a ransomware plugin for PureLocker ransomware, aka CR1 Ransomware, a
lesser-known ransomware.
The social engineering method for the 2022 more_eggs campaign consisted of disguising a zipped copy
of the VenomLNK malware as a job applicant’s resume. A benign PDF resume was included as well,
which served as a decoy resume, while more_eggs installed TerraLoader.
166