LinkedIn Spear-Phishing Campaign Targets Job Hunters

Fake job offers lure professionals into downloading the more_eggs backdoor trojan.

A threat group called Golden Chickens is delivering the fileless backdoor more_eggs through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers, according to researchers at eSentire.

The phishing emails try to trick a victim into clicking on a malicious .ZIP file by picking up the victim’s current job title and adding the word “position” at the end, making it appear like a legitimate offer.

“For example, if the LinkedIn member’s job is listed as ‘Senior Account Executive—International Freight,’ the malicious .ZIP file would be titled ‘Senior Account Executive—International Freight position’ (note the ‘position’ added to the end),” according to the report. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.”

Once downloaded, more_eggs can fetch additional malware and provide access to the victim’s system, the report said. The Golden Chickens group is also selling more_eggs as malware-as-a-service to other cybercriminals, who use it to gain a foothold in victim’s systems to install other types of malware, including banking malware, credential stealers and ransomware, or just to exfiltrate data, eSentire reported.

More_Eggs Malware: A ‘Formidable Threat’

Rob McLeod, eSentire’s Threat Response Unit director ,highlighted three specific aspects of the more_eggs trojan that make it what he described as a “formidable threat to business and business professionals.”

First, it abuses normal Windows processes to avoid antivirus protections. Second, McLeod pointed out the personalized spear phishing emails are effective in enticing victims to click on the fake job offer. What’s perhaps most pernicious is that the malware exploits job hunters desperate to find employment in the midst of a global pandemic and skyrocketing unemployment rates, he added.

While eSentire hasn’t been able to pinpoint the group behind more_eggs, researchers have observed the groups FIN6, Cobalt Group and Evilnum have each used the more_eggs malware as a service for their own purposes.

More_Eggs Malware-As-A-Service

The financial threat gang FIN6 used the more_eggs malware to target various e-commerce companies back in 2019. At the same time, attackers used more_eggs to breach retail, entertainment and pharmaceutical companies’ online payments systems, which reSentire esearchers haven’t definitively linked to FIN6, but are suspected to be linked.

Other groups have used the malware too. Evilnum likes to attack financial tech companies, according to eSentire, to steal spreadsheets, customer lists and trading credentials, while Cobalt Group is usually focused on attacking financial companies with the more_eggs backdoor.

Rather than attack someone who is unemployed, experts agree that the goal of the campaign is likely to attack people who are employed and have access to sensitive data.

How to Avoid Being a LinkedIn Victim

The motivation for the attacks is unclear, researchers said.

“Not much to gain from an unemployed worker using their own personal device,” Chris Morales, Netenrich’s CIO, told Threatpost. “Other than perhaps intel on who they are talking to and hoping to infiltrate a future network. During the work-from-home state we are in, personal and organization devices coexist on the same network.”

In the report, eSentire follows the more_eggs LinkedIn attack on someone in the health care technology sector. Chris Hazelton with mobile security provider Lookout told Threatpost that the victim that said was likely chosen so that  cybercriminals could gain “access to an organization’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure-controlling medical devices. He added, “Connected devices, particularly medical devices, could be a treasure trove for cybercriminals.”

Morales added that to avoid compromise, all users on LinkedIn should be on the lookout for spear-phishing scams.

“Targeting LinkedIn is not rocket science,” he added. “It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too and always look for that.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 

Suggested articles