Hackers are hiding ‘more_eggs’ malware inside résumés

Personalized résumé links can spell trouble for IT networks
article cover

Francis Scialabba

· 6 min read

Given a buzzing job market that’s continued heating up, hackers have found a clever vector for malware: résumés.

The stealthy, AV-evading attack, reported by the Ontario, Canada-based managed detection and response provider eSentire, takes advantage of an expected arrival for HR and highlights the importance of awareness training for those handling résumés and CVs.

Members of eSentire’s Threat Response Unit (TRU) team detected and shut down four recent attacks involving malware-serving résumés, including three incidents at the end of March 2022. The attackers targeted a US-based aerospace/defense company that makes and repairs airline components; a large UK-based CPA firm; an international business law firm based in Canada; and a national Canadian staffing agency, according to eSentire.

The malicious résumés contain the evasive, nothing-to-do-with-Easter “more_eggs” software, designed to steal usernames and passwords for IT admin accounts, email addresses, and corporate banks, according to the report from eSentire.

How it works: A malicious attachment will invite the reader to a personal, résumé-serving branding page. The unsuspecting résumé reader then downloads a poisoned LNK – a shortcut file, similar to a desktop icon, that automates program execution.

The name of the PDF attachment may include a person’s name, a realistic job title, and the word “résumé,” but the recipient won’t actually see a résumé, said Keegan Keplinger, a member of the TRU team.

“It’ll look like it’s broken, essentially, to a user that doesn’t recognize they’re clicking a link,” Keplinger, eSentire research and reporting lead at eSentire told IT Brew.

Readers will receive the failure message below:

The program being executed after the poisoned “VenomLink” is downloaded: a collection of intrusion malware detonated by TerraLoader. TerraLoader installs a number of module options for an attacker looking to disrupt a victim’s IT network: credential theft, lateral movement, and file encryption, to name a few.

TerraLoader sets up a variety of malware-as-a-service modules like TerraStealer, which exfiltrate sensitive data. Other parts of the malware package include TerraTV, a program that allows threat actors to hijack the remote-support tool TeamViewer, and TerraCrypt, a ransomware plugin, per the eSentire report.

A Compromise of an Expected Attachment

The malware is an especially challenging threat in the midst of the Great Resignation, when HR teams are being inundated with resumes on the regular.

In 2019, Google received more than three million applications per year.

“This is an expected communication. It’s something that [employers] are expecting to receive in the form of a résumé,” said Craig Dickinson, client success services director at the infosec cooperative SANS Institute. Dickinson works with clients on advisory services, particularly around threat vectors like phishing and security awareness training.

“There’s an element of trust there with regards to the résumé,” Dickinson told IT Brew.

The spear-phishing campaign is an effective one, said Erich Kron, a security awareness advocate at security awareness platform KnowBe4, because HR staff are working fast.

“They’re busy doing their thing, they’re reviewing résumés, they don’t think twice about, ‘Oh, this one has an attachment,’” said Kron.

To make the attack even trickier to hiring staff: The name of the attachment often features the name of the position that the employer is seeking to fill.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“If they’re looking for an accountant, it’ll load ‘accountant’ under that person’s name.“If they’re looking for a director, it’ll put ‘director’ under that person’s name.” said Keplinger.

“The personalization is likely occurring when the attacker submits the PDF to the recruiting site. That’s when the attacker has the opportunity to see the job position and put the right words in,” Keplinger told IT Brew in a follow-up email.

The attack is in fact a reversal of a more_eggs incident spotted a year ago by eSentire, and detailed in a 2021 blog post by the company.

That time, rather than posing as hopeful job candidates, the threat actors, targeted job seekers, disguising offers to LinkedIn users. When the targets opened a zip file, it led to installation of more_eggs.

What IT Teams Can Do

Corporations should protect their HR departments by deploying the usual email-inspection technology and flagging or deleting emails containing an infected attachment, said Dickinson. Another strong defense, according to the SANS Institute expert, is to create a central hiring portal—one that implements strong security controls.

“The application process should rely on…a candidate going in and filling out a formal application process that only grants text-based submissions,” Dickinson told IT Brew.

And a general rule that Dickinson emphasizes with clients: Never open any documents that require any type of customized commands, known as macros. If you get a message that asks  “Do you want to enable active content?” everyone on the HR staff should know the answer.

“Macros are bad. Period,” said Dickinson.

HR teams should try to only accept documents in a form that does not enable macros, added Kron, like “docx.”

The more_eggs malware is especially evasive because it uses signed, trusted Windows processes called LOLBins, or living off the land binaries, to send malicious code.  More_eggs abuses the signed windows binary of ie4uinit.exe, but antivirus software won’t necessarily catch that.

“The antivirus is just seeing a legitimate Windows process firing,” said Keplinger, who watched LOLBins to discover the attack. “It’s going to be hard to detect unless you’re doing some kind of LOLBin monitoring. You have to have a really good employee awareness, and a reporting system for that.”

Employee awareness is an essential strategy to protect against this type of phishing attack, according to a number of experts.

“So, and oftentimes, applicants have to go through HR software, right, or recruiting software to submit and upload their resume,” said Jess Burn, senior analyst at Forrester. “So if you're getting something directly, and you're not expecting it, that, you know, in and of itself should give you pause, as a as a hiring manager."

Dickinson recommends identifying the employees most at-risk of opening bad résuméss and starting tracking new social-engineering threats and placing them in a centralized location, like a SharePoint repository.

“All employees at every level across the organization should receive components or elements of security awareness training, to ensure that they have the skills required to identify an attack,” said Dickinson.

Or to put it another way:

“Technology alone cannot protect you.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.