The Curious Case of an Egg-Cellent Resume
- Initial access was via a resume lure as part of a TA4557/FIN6 campaign. The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware. Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity. The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities. The threat actor installed Cloudflared to assist in tunneling RDP traffic. This case was first published as a Private Threat Brief for customers in April of 2024. Eight new rules were created from this report and added to our Private Detection Ruleset.