Researchers at cybersecurity company eSentire discovered a spear-phishing incident using more_eggs by malware group Golden Chickens targeting LinkedIn users. The firm’s Threat Response Unit (TRU) was able to stop the attack.
The attack is described as a “fileless” and “backdoor.” The report explained that the threat actors target victims by using their current position in LinkedIn and sending them a seemingly innocent job offer, which will trigger the attack when clicked.
The report said, “For example, if the LinkedIn member’s job is listed as Senior Account Executive – International Freight, the malicious zip file would be titled Senior Account Executive – International Freight position (note the ‘position’ added to the end).”
Clicking on the offer will initiate the installation of more_eggs, which will download additional plugins that will let hackers access the target system.
TRU director Rob McLeod, Sr. noted, “What is particularly worrisome about the more-Eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals.”
First, the malware uses regular Windows activity to operate, making it difficult for anti-virus and automated security solutions to detect, giving it the advantage of stealth.
Moreover, it uses job offers to target individuals. Detonating the malware is also quite easy with the help of weaponized job offers. Users just need to click on a link to initiate the download of a malicious file that will in turn download other malware.
Lastly, more_eggs takes advantage of the public health situation, which has rendered thousands of people unemployed. The targeted and weaponized job offers are likely to be detonated by more individuals looking for employment.
McLeod added, “Theses three elements make more_eggs, and the cybercriminals which use this backdoor very lethal.”
Golden Chickens has been selling more_eggs to cybercriminals as a malware-as-a-service (MaaS) product. The group’s customers are the ones conducting the attacks.
Threat Post gathered opinions from cybersecurity experts to help avoid more_eggs. According to Netenrich CIO Chris Morales, being vigilant about spear-phishing activities is the best way.
Knowing the signs of a malicious file is the first step. For LinkedIn users, the use of the word “position” at the end of the job title can be telling.
Meanwhile, Morales noted that the motivation for this campaign remains unclear as there is “not much to gain from an unemployed worker using their own personal device.” However, infecting a medical device or a device with such information can be favorable to hackers.