A cybersecurity company has found that two Canadian organizations – an international business law firm and a national staffing agency – were the targets of a malicious spear-phishing campaign by threat actors looking to infect the organizations through malware-laden resumes.
In its latest cybersecurity blog post, eSentire noted that apart from the two Canadian organizations (the identities of which were not disclosed for security reasons), a US-based aerospace/defense company and a UK-based CPA firm were the two other recent targets by hackers using the more_eggs malware. In total, four different more_eggs security incidents were exposed in late March.
eSentire’s Threat Response Unit (TRU) uncovered the malware scheme of the hackers when it found that the malicious actors had posed as job applicants. Through email, the “applicants” would try to trick corporate hiring managers into downloading what they think are resumes, but is actually the more_eggs malware. The TRU warned that more_eggs is malware that has several components designed to steal credentials such as usernames and passwords for corporate bank accounts, email accounts, and IT administrator accounts.
“Once accessed, the hackers exfiltrate data from the victim organization, spread to other computer hosts via TeamViewer, and encrypt files,” eSentire warned, adding that it suspects the hacking group Golden Chickens to be behind the malware operation.
It was suggested that the hackers did not randomly pick their targets for the spear-phishing attack. eSentire pointed out that both the CPA firm and the staffing agency had a job listing posted on Indeed.com and LinkedIn, and the listings matched the title of the fraudulent resumes used in the scheme. The US aerospace company also had a job listed on Recruiter.com which matches the title of the fake resume used against it.
eSentire noted that the resume malware scheme comes about a year after it had discovered a similar spear-phishing campaign – but it was against professionals looking for a job on LinkedIn. The malware used in that previous scheme was an earlier version of more_eggs, and hackers attempted to get victims to open an infected zip file by naming it after the job seeker’s current job title with an added “position” word at the end.