Hackers are targeting job seekers through Linkedin infecting with 'more eggs'

A leading cybersecurity solutions provider is recently warning enterprises and individuals that a hacking group is spearphishing business professionals on LinkedIn with fake job offers in an effort to infect them with a sophisticated backdoor Trojan. Backdoor trojans give threat actors remote control over the victim’s computer, allowing them to send, receive, launch and delete files.

eSentire’s research team, the Threat Response Unit (TRU), discovered that hackers are spearphishing victims with a malicious zip file using the job position listed on the target’s LinkedIn profile. For example, if the LinkedIn member’s job is listed as Senior Account Executive-International Freight the malicious zip file would be titled Senior Account Executive-International Freight position (note the “position” added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer. The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware- as- a- service(MaaS) arrangement to other cybercriminals. Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.

What Risk Does More_Eggs Backdoor Pose to Organizations and Business Professionals

1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.

2.Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.

3.Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.

These three elements make more_eggs, and the cybercriminals which use this backdoor very lethal.

More_eggs maintains a stealthy profile by abusing legitimate Windows processes and feeds those process instructions via script files. Additionally, campaigns using the MaaS offering appear to be sparse and selective in comparison to typical malspam distribution networks. Because of the stealth and spearphishing capabilities of the more_eggs operation, the Golden Chickens threat group enjoys patronage from notable advanced threat groups, such as FIN6, Cobalt Group and Evilnum.

Thus far, the TRU team has not discovered forensics indicating the identity of the hacking group which is trying to spearphish the LinkedIn members. However, as mentioned, this malware-as a service has been used by three notable threat groups: FIN6, Cobalt Group and Evilnum.