A threat group called Golden Chickens is delivering the fileless backdoor more_eggs through a spear-phishing campaign targeting professionals on LinkedIn with fake job offers, states researchers at eSentire.
Fake job offers tempt professionals into downloading the more_eggs backdoor trojan.
The phishing emails try to fool a victim into clicking on a malicious .ZIP file by picking up the victim’s current job title & adding the word “position” at the end, making it seem like a legitimate offer.
Fake Job Advert
“For example, if the LinkedIn member’s job is listed as ‘Senior Account Executive—International Freight,’ the malicious .ZIP file would be titled ‘Senior Account Executive—International Freight position’ (note ‘position’ added to the end),” observes the report. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.”
When downloaded, more_eggs can fetch additional malware & provide access to the victim’s system, the report commented.
The Golden Chickens group is also selling more_eggs as malware-as-a-service to other cyber-criminals, who use it to gain a foothold in victim’s systems to install other types of malware, including banking malware, credential stealers & ransomware, or just to exfiltrate data, eSentire reported.
Rob McLeod, eSentire’s Threat Response Unit Director, outlined 3 specific aspects of the more_eggs trojan that make it a “formidable threat to business & business professionals.”
1st, it abuses normal Windows processes to avoid antivirus protections. 2nd, McLeod pointed out the personalised spear phishing emails are effective in luring victims to click on the fake job offer. What is perhaps the most unfortunate is that the malware exploits job hunters desperate to find employment in the middle of a global pandemic & rocketing unemployment rates, he explained.
While eSentire has not been able to pinpoint the group behind more_eggs, researchers have observed the groups FIN6, Cobalt Group & Evilnum have each used the more_eggs malware as a service for their own purposes.
The financial threat gang FIN6 used the more_eggs malware to target various e-commerce companies back in 2019. At the same time, attackers used more_eggs to breach retail, entertainment & pharmaceutical companies’ online payments systems, which reSentire researchers have not definitively linked to FIN6, but are suspected to be linked.
Other groups have used the malware too. Evilnum likes to attack financial tech companies, according to eSentire, to steal spreadsheets, customer lists & trading credentials, while Cobalt Group is usually focused on attacking financial companies with the more_eggs backdoor.
Rather than attack someone who is unemployed, experts think that the goal of the campaign is likely to attack people who are employed & have access to sensitive data.
Avoid Being a Victim
The motivation for the attacks is unclear, researchers stated.
“Not much to gain from an unemployed worker using their own personal device,” Chris Morales, Netenrich’s CIO, explained. “Other than perhaps intel on who they are talking to & hoping to infiltrate a future network. During the work-from-home state we are in, personal & organisation devices coexist on the same network.”
In the report, eSentire follows the more_eggs LinkedIn attack on someone in the health care technology sector.
Chris Hazelton with mobile security provider Lookout outlined that the victim was likely chosen so that cyber-criminals could gain “access to an organisation’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure-controlling medical devices.
He added, “Connected devices, particularly medical devices, could be a treasure trove for cyber-criminals.”
Morales added that to avoid compromise, all users on LinkedIn should lookout for spear-phishing scams.
“Targeting LinkedIn is not rocket science,” he concluded. “It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too & always look for that.”