Cybersecurity researchers have spotted a phishing attack distributing the More_eggs malware by masquerading it as a resume, a technique originally detected more than two years ago.
网络安全研究人员发现了一起网络钓鱼攻击,通过伪装成简历来传播More_eggs恶意软件,这是一种最初在两年前被检测到的技术。
The attack, which was unsuccessful, targeted an unnamed company in the industrial services industry in May 2024, Canadian cybersecurity firm eSentire disclosed last week.
这次攻击发生在2024年5月,针对一个未具名的工业服务行业公司,加拿大网络安全公司eSentire上周披露。
"Specifically, the targeted individual was a recruiter that was deceived by the threat actor into thinking they were a job applicant and lured them to their website to download the loader," it said.
该公司表示,“具体来说,被针对的个人是一个招聘人员,被威胁演员欺骗,让他们以为自己是一个求职者,并将他们引诱到他们的网站上下载加载器。”
More_eggs, believed to be the work of a threat actor known as the Golden Chickens (aka Venom Spider), is a modular backdoor that's capable of harvesting sensitive information. It's offered to other criminal actors under a Malware-as-a-Service (MaaS) model.
More_eggs被认为是一个威胁演员所为,被称为金鸡(又名毒蜘蛛),是一个模块化的后门,能够收集敏感信息。它以恶意软件即服务(MaaS)模式提供给其他犯罪行为者。
Last year, eSentire unmasked the real-world identities of two individuals – Chuck from Montreal and Jack – who are said to be running the operation.
去年,eSentire揭露了两个个人的真实身份 - 蒙特利尔的Chuck和罗马尼亚的Jack,据说他们正在运作这个行动。
The latest attack chain entails the malicious actors responding to LinkedIn job postings with a link to a fake resume download site that results in the download of a malicious Windows Shortcut file (LNK).
最新的攻击链包括恶意行为者回应LinkedIn的职位发布,提供一个链接到一个虚假简历下载网站,结果是下载了一个恶意的Windows快捷方式文件(LNK)。
It's worth noting that previous More_eggs activity has targeted professionals on LinkedIn with weaponized job offers to trick them into downloading the malware.
值得注意的是,先前的More_eggs活动已针对LinkedIn上的专业人士,通过武器化的工作机会来诱使他们下载恶意软件。
"Navigating to the same URL days later results in the individual's resume in plain HTML, with no indication of a redirect or download," eSentire noted.
eSentire指出,“数天后导航到相同的URL会导致个人的简历以纯HTML形式呈现,没有重定向或下载的迹象。”
The LNK file is then used to retrieve a malicious DLL by leveraging a legitimate Microsoft program called ie4uinit.exe, after which the library is executed using regsvr32.exe to establish persistence, gather data about the infected host, and drop additional payloads, including the JavaScript-based More_eggs backdoor.
然后使用LNK文件通过利用名为ie4uinit.exe的合法微软程序检索恶意的DLL,然后使用regsvr32.exe执行该库以建立持久性,收集有关受感染主机的数据,并放置其他负载,包括基于JavaScript的More_eggs后门。
"More_eggs campaigns are still active and their operators continue to use social engineering tactics such as posing to be job applicants who are looking to apply for a particular role, and luring victims (specifically recruiters) to download their malware," eSentire said.
eSentire表示,“More_eggs活动仍然活跃,他们的运营商继续使用社会工程手法,比如假装是正在寻找特定职位的求职者,并引诱受害者(特别是招聘人员)下载他们的恶意软件。”
"Additionally, campaigns like more_eggs, which use the MaaS offering appear to be sparse and selective in comparison to typical malspam distribution networks."
“此外,像more_eggs这样的活动,使用MaaS提供似乎比典型的恶意垃圾邮件分发网络更为稀少和选择性。”
The development comes as the cybersecurity firm also revealed details of a drive-by download campaign that employs fake websites for the KMSPico Windows activator tool to distribute Vidar Stealer.
这一发展发生在网络安全公司还披露了一个利用虚假网站来分发Vidar Stealer的驱动程序下载活动的详细信息。
"The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to download the final ZIP package," eSentire noted. "These steps are unusual for a legitimate application download page and are done to hide the page and final payload from automated web crawlers."
"kmspico[.]ws站点托管在Cloudflare Turnstile后面,需要人为输入(输入代码)才能下载最终的ZIP包。"这些步骤对于一个合法的应用程序下载页面来说是不寻常的,是为了隐藏页面和最终载荷免受自动网络爬虫的影响。
Similar social engineering campaigns have also set up lookalike sites impersonating legitimate software like Advanced IP Scanner to deploy Cobalt Strike, Trustwave SpiderLabs said last week.
类似的社会工程活动还建立了类似站点,冒充合法软件如Advanced IP Scanner,部署Cobalt Strike,Trustwave SpiderLabs上周表示。
It also follows the emergence of a new phishing kit called V3B that has been put to use to single out banking customers in the European Union with the goal of stealing credentials and one-time passwords (OTPs).
这也紧随着一种新的钓鱼工具包V3B的出现,该工具包用于单独针对欧盟银行客户,旨在窃取凭据和一次性密码(OTP)。
The kit, offered for $130-$450 per month through a Phishing-as-a-Service (PhaaS) model through the dark web and a dedicated Telegram channel, is said to have been active since March 2023. It's designed to support over 54 banks located in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands.
这个工具包每月通过暗网和专用的Telegram频道以每月130-450美元的价格提供,据说自2023年3月以来一直活跃。它旨在支持奥地利、比利时、芬兰、法国、德国、希腊、爱尔兰、意大利、卢森堡和荷兰的54多家银行。
The most important aspect of V3B is that it features customized and localized templates to mimic various authentication and verification processes common to online banking and e-commerce systems in the region.
V3B最重要的一点是,它具有定制和本地化模板的高级功能,以模仿该地区在线银行和电子商务系统中常见的各种身份验证和验证过程。
It also comes with advanced capabilities to interact with victims in real-time and get their OTP and PhotoTAN codes, as well as execute a QR code login jacking (aka QRLJacking) attack on services such as WhatsApp that allow sign-in via QR codes.
它还具有与受害者实时互动并获取他们的OTP和PhotoTAN代码的高级功能,以及执行QR代码登录劫持(又称QRLJacking)攻击,例如WhatsApp等允许通过QR代码登录的服务。
"They have since built a client base focused on targeting European financial institutions," Resecurity said. "Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts."
Resecurity 表示,"他们自此以来建立了以瞄准欧洲金融机构为目标的客户群。目前估计有数百名网络罪犯正在使用这个工具包来实施欺骗行为,使受害者的银行账户被掏空。"
参考资料
[1]https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...