Security researchers are warning LinkedIn users to beware of unsolicited job offers after revealing a new spear-phishing campaign designed to install Trojan malware on their devices.
The eSentire Threat Response Unit (TRU) yesterday claimed that individuals were being targeted with customized files named the same as their own current role.
“Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer,” it continued.
“The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cyber-criminals.”
Once more_eggs is installed, the backdoor can be used by Golden Chickens customers to further their own campaigns, by infecting with additional malware like ransomware, credential stealers and banking Trojans, warned eSentire. Backdoor access could also be used to find and exfiltrate sensitive data from the victims’ machine, it added.
The group is thought to be taking advantage of the high number of COVID-19 redundancies in the US to spread this email campaign, whilst including the victim’s own LinkedIn job position as the name of the malicious Zip file to increase the chances of them opening it.
The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools.
The campaign is similar to one from 2019 in which employees of US retail, entertainment and pharmaceutical companies were targeted by the same more_eggs Trojan disguised as a job offer matching their own current position, eSentire claimed.
Noted Advanced Persistent Threat (APT) groups including FIN6, Cobalt Group and Evilnum have all been spotted in the past using more_eggs in their attacks, although it’s unclear who is behind the Golden Chickens group.