Hackers target LinkedIn users with fake job offers to spread malware
The Golden Chicken group is selling the More_Eggs backdoor to other groups as a malware as a service (MaaS) model
These files are titled to mirror the exact job title. For example, a user listing ‘Senior Account Executive International Freight’ as their job will be sent a malicious .ZIP file titled ‘Senior Account Executive - International Freight position’.
Once opened, victims initiate the stealthy installation of the More_eggs backdoor that can download additional malicious plugins and provide remote access to their device.
Golden Chicken sell the backdoor under a malware as a service (MaaS) arrangement to other cyber criminals, made possible by More_Eggs’ tendency to maintain a stealthy profile by abusing legitimate Windows processes.
Researchers with eSentire disrupted an active spear phishing incident in which a health tech professional downloaded and executed a malicious .ZIP file.
Taking a proactive approach to cyber security
A complete guide to penetration testingDownload now
The researchers saw the victim unwittingly activate VenomLNK, an initial stage of More_Eggs that abused Windows Management Instrumentation to enable the plugin loader, TerraLoader. This, in turn, hijacks the cmstp and regsvr32 processes.
While TerraLoader is being initiated, a decoy Word document is presented to the victim to impersonate a job application but serves no functional purpose in the infection. This is simply a decoy that distracts the user from the background tasks of More_Eggs.
TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, before signalling to a command and control (C&C) server through the copy of msxsl. This beacon then communicates that the More_Eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal.
Possibilities, depending on the group that More_Eggs is sold to on the MaaS model, include infecting with additional malware strains, such as ransomware, or getting a foothold into the victim’s network to exfiltrate data.
The eSentire researchers have so far been unable to determine what the ultimate purposes of this campaign might be, although it mirrors a similar campaign reported in February 2019 which also involved the More_Eggs backdoor.
Join the 90% of enterprises accelerating to the cloud
Business transformation through digital modernisationFree Download
Delivering on demand: Momentum builds toward flexible IT
A modern digital workplace strategyFree download
Modernise the workforce experience
Actionable insights and an optimised experience for both IT and end usersFree Download
The digital workplace roadmap
A leader's guide to strategy and successFree Download