Threat Research

More_eggs Activity Persists Via Fake Job Applicant Lures

Esentire

eSentire’s Threat Response Unit (TRU) detected a more_eggs campaign targeting an industrial services customer, delivered via a fake resume loader after the victim clicked a LinkedIn job listing. The campaign uses obfuscated Windows loader techniques, a malicious DLL with RC4 decryption, WMI-based execution, registry persistence, and a C2 channel, with ties to Golden Chickens/Venom Spider and operators such as FIN6, Evilnum, and Cobalt. #more_eggs #LinkedIn #LNK #RC4 #WMI #Regsvr32 #GoldenChickens #VenomSpider #FIN6 #Evilnum #Cobalt

Keypoints

  • TRU identified a more_eggs malware campaign targeting an industrial services customer in May 2024, blocked by MDR for Endpoint after the resume loader was opened.
  • Attackers used social engineering via a LinkedIn job listing to lure the recruiter to a fake resume download site.
  • The delivery uses a Windows LNK file that points to cmd.exe with obfuscated commands, ultimately leading to a malicious DLL (55609.dll) and persistence mechanisms.
  • A hijacked legitimate Windows process (ie4unit.exe) is used to execute the loader and download the malicious DLL from a remote domain.
  • The payload is highly obfuscated, uses RC4 to decrypt strings, and includes anti-debug/anti-sandbox checks before activation.
  • The malware establishes a C2 channel to a remote host (example: dcc.olcrv.com/login/tologin) to exfiltrate system info and receive tasks, with JavaScript components dropping further payloads.
  • Campaigns reuse MaaS-style delivery and LOLBINs (cmd.exe, wscript.exe, wmic.exe, msxsl.exe, powershell.exe, ie4uinit.exe) to evade detections and maintain stealth.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The attacker used a LinkedIn job listing to lure victims to a fake resume download site. “The delivery of the malware took place from the response to a LinkedIn job listing, where the attacker posed as a potential candidate, providing a link to the fake resume download site.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The shortcut points to the executable “cmd.exe” followed by a long-obfuscated command. “the shortcut points to the executable “cmd.exe” followed by a long-obfuscated command.”
  • [T1105] Ingress Tool Transfer – The loader downloads the malicious DLL from a remote URL. “to download the malicious DLL from a8advbiejf[.]christianvelour[.]com.”
  • [T1027] Obfuscated/Compressed Files and Information – The loader uses heavy obfuscation and RC4 to decrypt strings. “the malware uses the RC4 algorithm to decrypt the strings.”
  • [T1047] Windows Management Instrumentation – WMI is invoked to run the hijacked copy of ie4unit.exe. “Windows’ WMI is invoked to run the hijacked copy of “ie4unit.exe”.”
  • [T1218.011] Signed Binary Proxy Execution: Regsvr32 – The DLL is registered and executed via regsvr32.exe to establish persistence. “registered into the user’s registry and executed using “regsvr32.exe” to establish persistence.”
  • [T1059.007] Windows Script: JavaScript – Obfuscated JavaScript in the dropped text files and the payload uses JavaScript functions. “Within “1A4D05F30007.txt” there is a fair amount of JavaScript code with various functions.”
  • [T1071.001] Web Protocols – The payload communicates with a remote C2 server via web protocols. “to dcc.olcrv.com/login/tologin… sends details from the host’s system.”
  • [T1555] Credentials in Password Stores – The malware is capable of stealing usernames and passwords for various accounts. “steal valuable credentials, including usernames and passwords for corporate bank accounts, email accounts, and IT administrator accounts.”

Indicators of Compromise

  • [Domain] a8advbiejf.christianvelour.com, dcc.olcrv.com – remote download/C2 domains observed in the campaign
  • [URL] https://dcc.olcrv.com/login/tologin – C2 login endpoint referenced by the payload
  • [File name] Christian C. Velour.LNK – launcher file used to execute the chain
  • [File name] 55609.dll – malicious payload DLL dropped by the loader
  • [File name] msxsl.exe – legitimate binary abused as part of the execution chain
  • [File name] ieuinit.inf – INF configuration generated by the loader for DLL download/drive execution
  • [File name] 7E9CB3FBF4FD0B07.txt – obfuscated JavaScript payload
  • [File name] 1A4D05F30007.txt – JavaScript payload containing C2 logic

Read more: https://www.esentire.com/blog/more-eggs-activity-persists-via-fake-job-applicant-lures

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint