A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector thus making it dubbed ‘the CV-WARE’ by Sly Uduosa, Slytech’s research lead.
“This year, the more eggs operation has inverted the social engineering script, targeting hiring managers with phoney resumes instead of jobseekers with fake job offers,” said Keegan Keplinger, eSentire’s research and reporting lead.
Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets.
The virus, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and lateral movement across a compromised network.
“More eggs executes by transferring malicious code to normal Windows processes and allowing those processes to do the work for them,” Keplinger explained. The idea is to use resumes as a decoy in order to install malware and avoid detection.
Apart from the role reversal in the mode of operation, it’s unclear what the attackers were after, given that the incursions were stopped before they could carry out their intentions. However, it’s worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware.
“The threat actors behind more eggs deploy a scalable spear-phishing technique that weaponizes expected communications, such as resumes, that fit a hiring manager’s expectations or job offers, targeting hopeful individuals with current or previous job titles,” Keplinger added.