Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

Elizabeth Montalbano, Dark Reading

October 2, 2024

1 Min Read
chickens in a garden
Alamy

At a Glance

  • Threat actors are evolving their social engineering techniques, such as posing as job applicants and creating fake websites.
  • The availability of the "more_eggs" backdoor as part of a MaaS toolkit (Golden Chickens) complicates threat attribution.
  • IT teams should prioritize advanced threat detection measures and train employees to recognize social engineering attacks.

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more_eggs infection.

Related:Linux Ransomware Threats: How Attackers Target Linux Systems

Continue Reading This Article on Dark Reading

Read more about:

Dark Reading

About the Authors

Elizabeth Montalbano

Elizabeth Montalbano

See more from Elizabeth Montalbano
Dark Reading

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

See more from Dark Reading
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

ITPro Today's 2024 IT Priorities Report cover
Career Management
ITPro Today’s 2024 IT Priorities ReportITPro Today’s 2024 IT Priorities Report
byChristopher Tozzi
Sep 25, 2024
1 Min Read
a casually dressed it professionals is awkwardly projected on a video call screen in front of a large professional audience
Career Tips
My Manager Promised a Chill Meeting. I Got Ambushed Instead.My Manager Promised a Chill Meeting. I Got Ambushed Instead.
byDanielle Meinert
Sep 26, 2024
3 Min Read
a gavel at the center of a maze
Regulatory Compliance
Guide To Navigating the Legal Perils After a Cyber IncidentGuide To Navigating the Legal Perils After a Cyber Incident
byIan Horowitz
Sep 20, 2024
7 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

multicloud concept
Cloud Computing
Cross-Cloud: The Next Evolution in Cloud Computing?Cross-Cloud: The Next Evolution in Cloud Computing?
Wi-Fi 6 speed logo glowing on virtual screen while businessperson points hand and using laptop computer.
IT Operations
Wi-Fi 6: A Step Forward, But Wired LAN Still Holds the CrownWi-Fi 6: A Step Forward, But Wired LAN Still Holds the Crown
American flag in front of a government building
IT Operations
Pros and Cons of Government IT JobsPros and Cons of Government IT Jobs
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables
list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained