According to the latest reports, a new spear-phishing campaign has been infesting LinkedIn with malicious actors targeting the platform’s users using a sophisticated backdoor trojan called “more_eggs”.
LinkedIn is one of the most popular social media websites with more than 730 million registered users from 150 countries, as of 2021. The platform is primarily used for professional networking and allows job seekers to post their CVs and employers to post jobs.
The LinkedIn spear-phishing campaign:
Security experts analyzing the LinkedIn spear-phishing campaign have detailed that the malware campaign employs malicious ZIP archive files that have the same name as that of a target’s job taken from their LinkedIn profiles.
Giving an example, if a LinkedIn user’s job profile is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position.
Once the target opens the pretend job offer, an installation of the fileless backdoor “more_eggs” gets triggered, unbeknownst to the LinkedIn user.
Apparently, spear-phishing campaigns deploying the malicious “more_eggs” backdoor employing similar techniques have been found to be abusing the LinkedIn platform since 2018.
The backdoor is based on the malware-as-a-service (MaaS) provider called Golden Chickens.
The malicious actors propagating this phishing campaign are yet to be discovered however, it has been observed that “more_eggs” has been taken advantage of by multiple cybercrime groups such as Cobalt, FIN6, and Evilnum.
Once more_eggs gets installed, it inherently keeps itself from getting detected by hijacking authentic Windows processes under the ruse of an “employment” application document.
This essentially sidetracks the victim from finding any of its malicious activities triggered by the malware that is running in the background.
It can also retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a base in the victim’s network to poach data.
Highlights malicious advancements:
The particular LinkedIn spear phishing campaign and an overall spike in such intricate and stealthy cyber-attacks and malware deployments certainly highlight the sheer mal-efforts put in by malicious actors and cybercriminals to compromise victims.
Users are recommended to adequately investigate and analyze untrusting job listings so as to not fall prey to such cyberattacks and phishing campaigns.