Phishing attacks targeting hiring managers have been spotted. The "More_Eggs" malware has been observed striking with fake CV's as an attack vector, having previously targeted hopeful candidates on LinkedIn last year.
"This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers," eSentire's research and reporting lead, Keegan Keplinger, said in a statement.
"The social engineering method for this current more_eggs campaign consisted of disguising a zipped copy of the VenomLNK malware as a job applicant’s resume. A benign PDF resume is included as well, which serves as a decoy resume, while more_eggs installs TerraLoader in the background." Keplinger said.
"More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them," Keplinger continued.
The goal of More_Eggs is to use the CV's as a way of distracting the user and to avoid detection while they install the malware.
The clear role reversal here compared to the initial attacks last year leaves us questioning their motives. Its possible that motives include opening a backdoor for further attacks such as ransomware and information exfiltration, and this malware provides the perfect base for it.
So, how do you spot these emails?
As a hiring manager it can be difficult to spot these emails. Our advice would usually be if you are not expecting the email and it looks suspicious, it is likely a phishing email. We also advise to check with the sender directly to make sure the email is legitimate. You are unlikely to be able to do this in the case of receiving a CV, and you are likely to be expecting a CV as a hiring manager.
In this case, the attackers seem to be including zip folders in the email. But CV's are usually word documents or pdf's. Our advice in this case, is to be suspicious of all email attachments in general, especially zip folders. Ofcourse, word documents and pdf's can also contain malware, but that's not how this particular malware appears to be spreading.
If you are unsure about any email attachments, we recommend contacting your IT department immediately. You should forward all phishing emails to report@phishing.gov.uk