IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers target LinkedIn users with fake job offers to spread malware

The Golden Chicken group is selling the More_Eggs backdoor to other groups as a malware as a service (MaaS) model

The Golden Chicken hacking group is targeting LinkedIn users with fake job offers to infect them with a sophisticated malware strain that can allow them to take control of victims’ computers. 

These hackers spread the More_Eggs malware by spear phishing victims with a malicious .ZIP file using the victim's job as listed on LinkedIn, according to the security firm eSentire

These files are titled to mirror the exact job title. For example, a user listing ‘Senior Account Executive International Freight’ as their job will be sent a malicious .ZIP file titled ‘Senior Account Executive - International Freight position’.

Once opened, victims initiate the stealthy installation of the More_eggs backdoor that can download additional malicious plugins and provide remote access to their device.

Golden Chicken sell the backdoor under a malware as a service (MaaS) arrangement to other cyber criminals, made possible by More_Eggs’ tendency to maintain a stealthy profile by abusing legitimate Windows processes. 

Researchers with eSentire disrupted an active spear phishing incident in which a health tech professional downloaded and executed a malicious .ZIP file.

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

The researchers saw the victim unwittingly activate VenomLNK, an initial stage of More_Eggs that abused Windows Management Instrumentation to enable the plugin loader, TerraLoader. This, in turn, hijacks the cmstp and regsvr32 processes.

While TerraLoader is being initiated, a decoy Word document is presented to the victim to impersonate a job application but serves no functional purpose in the infection. This is simply a decoy that distracts the user from the background tasks of More_Eggs.

TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, before signalling to a command and control (C&C) server through the copy of msxsl. This beacon then communicates that the More_Eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal. 

Possibilities, depending on the group that More_Eggs is sold to on the MaaS model, include infecting with additional malware strains, such as ransomware, or getting a foothold into the victim’s network to exfiltrate data.

The eSentire researchers have so far been unable to determine what the ultimate purposes of this campaign might be, although it mirrors a similar campaign reported in February 2019 which also involved the More_Eggs backdoor.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022