A financially motivated threat actor, “Venom Spider,” has been targeting HR staff, including recruiters and hiring managers, with a sophisticated phishing campaign designed to exploit their frequent need to open email attachments. This new tactic, tracked by security vendor Arctic Wolf, highlights the vulnerability of HR employees who often receive resumes and cover letters from external sources, including job candidates and hiring agencies.
Venom Spider’s campaign, detailed in a May 2 blog post, uses a fake résumé and a malicious attachment to deliver a backdoor named “More_eggs.” The backdoor, when executed, allows attackers to remotely control the compromised system, collect system information, and potentially deploy additional malicious code. This attack follows a similar approach used by Venom Spider in past campaigns, which date back to the late 2010s.
How the Attack Works
In its most recent campaign, Venom Spider sends spear-phishing emails to HR personnel, containing a link to an external site with a captcha box to bypass email filters. Once the captcha is completed, a zip file is downloaded, which appears to be a resume but actually contains a harmful Windows shortcut file. This shortcut file is the initial payload in the attack chain.
The .Ink file in the zip package downloads a .bat file from the attacker’s server, which then triggers WordPad to open, creating the illusion of a harmless file. Meanwhile, the attacker’s code executes hidden commands and runs JavaScript code in the background, ultimately creating a “More_eggs_Dropper” executable library.
More_eggs: A Persistent Threat
The “More_eggs_Dropper” library uses obfuscated code to evade detection, executing complex commands and generating polymorphic JavaScript code to bypass security measures. The final payload, “More_eggs,” establishes a backdoor that allows the attacker to maintain persistent access to the victim’s system, run additional malicious code, and exfiltrate sensitive information.
Venom Spider has been conducting these attacks since at least October 2023, with signs indicating the campaign is both ongoing and continually evolving.
Defending Against Venom Spider’s Campaign
While the attack chain may seem sophisticated, Arctic Wolf’s researchers emphasize that this is ultimately a phishing attack, and basic defense measures can significantly reduce the risk. Regular employee training on identifying and preventing spear-phishing attacks is crucial, especially for those working in vulnerable departments like HR and recruitment.
In particular, HR staff should be trained to scrutinize attachments closely, particularly LNK, ISO, or VBS files, which are often disguised as zip files to evade email filters. Employees should right-click files to inspect their properties before opening any attachments.
Stefan Hostetler, senior threat intelligence researcher at Arctic Wolf, stresses the importance of understanding the pressure on recruiters in today’s job market. With many candidates applying for each job listing, the attackers have a significant advantage in tricking HR personnel into opening malicious files. This, combined with the complexity of the attack, makes HR departments a common and effective target for threat actors like Venom Spider.
