A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called "more_eggs."
To increase the odds of success, the phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims' job titles taken from their LinkedIn profiles.
"For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end)," cybersecurity firm eSentire's Threat Response Unit (TRU) said in an analysis. "Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs."
Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown as yet, although more_eggs has been put to use by various cybercrime groups such as Cobalt, FIN6, and EvilNum in the past.
Once installed, more_eggs maintains a stealthy profile by hijacking legitimate Windows processes while presenting the decoy "employment application" document to distract targets from ongoing background tasks triggered by the malware. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim's network so as to exfiltrate data.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
If anything, the latest development is yet another indication of how threat actors are constantly tweaking their attacks with personalized lures in an attempt to trick unsuspecting users into downloading malware.
"Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment," the researchers said. "Thus, a customized job lure is even more enticing during these troubled times."