The threat actor has made several upgrades to More_eggs to infect victims more effectively and to evade automated analysis techniques like sandboxing, Arctic Wolf said.
“The recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organization by attackers, as the very nature of their job means that they must regularly open email attachments (such as resumés and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies,” said the report.
Typically, a malicious message in this campaign contains a link, supposedly to allow the manager to download the job seeker’s resumé from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resumé. On this site, the user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners.
