Intel Name: The curious case of an egg-cellent resume
Date of Scan: December 3, 2024
Impact: High
Summary: In March 2024, an investigation revealed that a threat actor infected a user endpoint and pivoted to two servers in the environment. Initial access was gained through a job application lure, where the victim downloaded a fake resume ZIP file and executed a malicious .lnk file. This triggered the use of ie4uinit.exe to side-load a malicious .inf file, which dropped and executed a malicious DLL via WMI. The attack culminated in a scheduled task and WMI process launching JScript through msxsl.exe, delivering the final more_eggs payload to establish command-and-control communication. TA4557 since 2018 as a sophisticated, financially motivated threat actor known for distributing the exclusive more_eggs backdoor, capable of profiling endpoints and delivering additional payloads.