![Apple Shares Official Teaser for 'Highest 2 Lowest' Starring Denzel Washington [Video]](https://www.iclarified.com/images/news/97221/97221/97221-640.jpg)
![New Powerbeats Pro 2 Wireless Earbuds On Sale for $199.95 [Lowest Price Ever]](https://www.iclarified.com/images/news/97217/97217/97217-640.jpg)
![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
Hackers Attacking HR Departments with Fake Resumes That Drop More_eggs Malware
A sophisticated cyber campaign targeting corporate human resources departments has been uncovered, with attackers exploiting the routine practice of opening job application attachments to deploy a dangerous backdoor. The financially motivated threat group Venom Spider is behind this campaign, sending spear-phishing emails to hiring managers and recruiters with links to download what appear to be […] The post Hackers Attacking HR Departments with Fake Resumes That Drop More_eggs Malware appeared first on Cyber Security News.
A sophisticated cyber campaign targeting corporate human resources departments has been uncovered, with attackers exploiting the routine practice of opening job application attachments to deploy a dangerous backdoor.
The financially motivated threat group Venom Spider is behind this campaign, sending spear-phishing emails to hiring managers and recruiters with links to download what appear to be candidate resumes but are actually malicious files.
The backdoor, known as More_eggs, is a particularly concerning threat as it can be leveraged for a wide array of malicious activities, from credential theft to stealing sensitive customer payment data, intellectual property, and trade secrets.
This represents a tactical evolution for Venom Spider, which has historically focused on industries utilizing online payment portals or e-commerce sites, including retail, entertainment, and pharmacy sectors.
Arctic Wolf researchers identified that this pivot to targeting HR departments puts virtually every industry at risk due to one universal vulnerability: the need to hire new employees.
Their analysis revealed several upgrades in the malware design specifically engineered to infect victims more effectively and evade automated security analysis techniques like sandboxing.
What makes HR departments particularly vulnerable is the nature of their work. Recruiters and hiring managers routinely must open email attachments from unknown external sources as a fundamental part of their job.
Threat actors have recognized and are actively exploiting this operational necessity, making HR one of the weakest links in organizational security.
The infection begins when a recruiter receives a spear-phishing email containing a link supposedly leading to a job applicant’s resume.
Upon clicking, the victim is directed to an actor-controlled website with a CAPTCHA verification step-a clever technique that helps bypass automatic security scanners while appearing legitimate to human users.
Infection Mechanism: From Resume to Backdoor
The infection chain is remarkably sophisticated. After the victim passes the CAPTCHA test, a zip file downloads that contains a malicious Windows shortcut (.lnk) file alongside an image file serving as a distraction.
The threat actor’s infrastructure employs server polymorphism, generating a unique malicious .lnk file for each download with different code obfuscation and file sizes-ranging from 11,600 to 11,900 bytes-making each attack instance unique.
When executed, the malicious shortcut runs a highly obfuscated Windows Command Shell script that creates and writes to a file at %temp%\ieuinit.inf.
This script launches Microsoft WordPad to distract the user while covertly executing commands through the legitimate Windows utility ie4uinit.exe.
.webp)
A segment of the batch file shows this deception:-
@echo off
start "" "%ProgramFiles%\Windows NT\Accessories\wordpad.exe"...
echo [version] > "%temp%\ieuinit.inf"
echo Signature=$CHICAGO$ >> "%temp%\ieuinit.inf"
echo [DefaultInstall] >> "%temp%\ieuinit.inf"
cacls "%windir%\system32\ie4uinit.exe" /Y /C /QThe infection progresses with the creation of the More_eggs_Dropper library at C:\Users\%username%\AppData\Roaming\Adobe\d{5}.dll, which generates a new JavaScript payload each time it executes.
This JavaScript utilizes sophisticated encryption with a hard-coded key combined with three bytes obtained through brute force-a technique that typically requires several minutes of processing time, effectively evading automated analysis systems.
.webp)
The venom Spider’s JavaScript dropper payload shows how the malware employs encrypted data blocks that are only decrypted on the victim’s system using a combination of system-specific information like computer name and processor identifier.
Once fully operational, More_eggs collects extensive system information, including OS installation date, antivirus details, username, computer name, OS version, IP address, and more-sending this intelligence back to command-and-control servers for the threat actor to leverage in further exploits or data theft operations.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Hackers Attacking HR Departments with Fake Resumes That Drop More_eggs Malware appeared first on Cyber Security News.
