The 2022 More_Eggs Operation – a Déjà Vu of the 2021 LinkedIn More_Eggs Campaign?

            Ironically,  an  eerily  similar  more_eggs  campaign  was  uncovered  by  eSentire’s  TRU  in  March  2021.
            However, during that campaign, rather than posing as hopeful job candidates sending poisoned resumes,
            the threat actors targeted professionals on LinkedIn seeking employment. They sent the job seekers .zip
            files disguised as job offers. When the targets opened the zip file, it led to the installation of more_eggs.
            The hackers tried enticing the targets into clicking on the zip file by naming it after the job seeker’s current
            job title and adding “position” at the end.

            For  example,  if  the  LinkedIn  member’s  job  was  listed  as  ‘Senior  Account  Executive—International
            Freight,’ the malicious zip file would be titled ‘Senior Account Executive — International Freight position.’



            TRU  Disrupts  More_Eggs  Attacks  Hitting  an  Aerospace/Defense  Company,  International  Law
            Firm, International CPA Firm and National Staffing Agency

            When TRU discovered and shut down the four more_eggs incidents this year, each incident involved a
            new variant of more_eggs.

            TRU believes that the threat actors behind the 2022 more_ eggs campaign are not randomly targeting
            companies. For example, the CPA firm and the staffing agency, both list a job posting on Indeed.com
            and LinkedIn which match the title of the resume each hiring manager received. The aerospace/defense
            company also had a job listed on ZipRecruiter.com which matches the title of the fake resume received.



            The Innerworkings of More_Eggs

            More_eggs is a sophisticated suite of malware components. One of those components is VenomLink (a
            component  used  to  trick  the  victim  into  installing  TerraLoader).    TerraLoader  is  an  intermediate
            component used to install numerous modules designed to take malicious actions such as credential theft,
            lateral movement, and file encryption throughout a victim’s IT network. Here is a full breakdown:

               •  VenomLNK is a poisoned LNK file. Windows uses LNK files to automate program execution.
                   More_eggs uses a maliciously written LNK file to execute TerraLoader by tricking the user into
                   opening what they think is a document.
               •  TerraLoader loads the other modules from VenomLNK
               •  TerraPreter provides a Meterpreter (a Metasploit attack payload) shell in memory
               •  TerraStealer is an info stealing module used to exfiltrate sensitive data
               •  TerraTV allows threat actors to hijack TeamViewer for lateral movement
               •  TerraCrypt is a ransomware plugin for PureLocker ransomware, aka CR1 Ransomware, a
                   lesser-known ransomware.

            The social engineering method for the 2022   more_eggs campaign consisted of disguising a zipped copy
            of the VenomLNK malware as a job applicant’s resume. A benign PDF resume was included as well,
            which served as a decoy resume, while more_eggs installed TerraLoader.







                                                                                                            166