A spear-phishing email campaign is targeting recruiters. The attackers use fake job applications to deliver a JavaScript backdoor known as More_eggs.

This campaign is attributed to the Golden Chickens group.

From the source:

"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis.

More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts.

It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08), Cobalt, and Evilnum. https://thehackernews.com/2024/10/fake-job-applications-deliver-dangerous.html (Oct. 02, 2024).
 

Commentary

More_eggs is a sophisticated backdoor trojan that operates through several key mechanisms to steal data and perform other malicious activities.

The malware typically enters a system via spear-phishing emails containing malicious links or attachments disguised as legitimate files, like a resumé. Once executed, More_eggs establishes a connection with a command-and-control server using encrypted channels. Once that is accomplished, it can download and execute additional payloads, such as infostealers or ransomware.

The malware gathers system information, including OS systems, computer name, IP address, and user details. The malware checks for installed anti-malware programs and uses various techniques to evade detection, such as encryption.

The More_eggs system and the criminal gangs that use it are targeting employers. Criminals know that employers are always seeking talent. They are also aware that it is customary to review resumés sent to you; perhaps save the resumé for future reference; and acknowledge receipt of the resumé as a matter of professional courtesy. 

The final takeaway is if someone sends you an unsolicited message with an attached resumé, you should never reply to the message and you should not select any attachment or link embedded in the message.