A new kind of phishing campaign on LinkedIn is targeting people by using personalised job offers to infect victim’s devices with Trojan malware.
In order to increase the chances of success of their malicious campaigns, the fake offer ZIP archive files have exactly the same name as the job titles of victims’ listed on their LinkedIn profile. For example, if the victim works as an Marketing Executive, the malicious file will be named Marketing Executive position (the word “position” is added to the end).
All it takes is opening a mystery job offer to unknowingly initiate the installation of a fileless backdoor* called more_eggs. Once done loading, it tries to download additional malicious plug-ins and provides direct access to the victim’s computer, say specialists from the eSentire Threat Response Unit in their analysis. In addition, this backdoor can act as a channel to download additional payloads from a server controlled by attackers. This can include banking Trojans, ransomware, and credential stealers.
The Trojan also uses legitimate Windows processes such as WMI to avoid detection by traditional antivirus tools. Meaning, it is a lot more difficult to detect and therefore more dangerous.
More_eggs campaigns such as this have been around for a few years, and the backdoor itself has been assigned to the Golden Chickens group (Malware as a service provider). The authors of the latest campaign are yet to be uncovered – more_eggs has been exploited in the past by various criminal groups online. The group is believed to be using a large number of COVID-19 layoffs to popularize the campaign.
Worried about cyber security? We can help. Get in touch for advice and keep your data safe.
* A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer or obtaining access to plaintext in cryptographic systems. (Wikipedia)