eSentire is warning enterprises and individuals that cybercriminals are spearphishing business professionals on LinkedIn with fake job offers in an effort to infect them with a sophisticated backdoor Trojan. Backdoor trojans, according to eSentire, give threat actors remote control over a victim's computer, allowing them to send, receive, launch and delete files.
eSentire’s research team, the Threat Response Unit (TRU), discovered that hackers are spearphishing victims with a malicious zip file using the job position listed on the target’s LinkedIn profile. For example, if the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer. The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware- as- a- service(MaaS) arrangement to other cybercriminals. Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.
According to Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire, there are three elements that make more_eggs activity and the cybercriminals which use this backdoor a formidable threat to businesses and business professionals:
1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
2.Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
3.Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.
In the spearphishing incident, the target was a professional working in the healthcare technology industry. The TRU team has not discovered forensics indicating the identity of the threat group, but this malware-as a service has been used by three notable threat groups: FIN6, Cobalt Group and Evilnum.
Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains, "It is likely the target was chosen by an attacker interested in gaining access to an organization’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure controlling medical devices. Connected devices, particularly medical devices, could be a treasure trove for cybercriminals. A phishing attack similar to this one may have been used in the breach of IoT vendor Ubiquiti."
With vaccinations being rolled out in some countries at an impressive rate, companies are looking to increase staff as the economy recovers, Hazelton adds. "This increase in LinkedIn messaging traffic means users are receiving more messages since the pandemic started, so they are spending less time vetting each message. Users of social media continue to put too much trust in those platforms to protect them from criminals. This is a good example of how ruthless cybercriminals continue to be. Cybercriminals are criminals and they will take advantage of any situation to trick targets into downloading malware. They will use any medium, PCs, social media, mobile apps, and text messaging to trick users into opening the door for cyberattacks."
Targeting LinkedIn is not rocket science, Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services. "It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too and always look for that. So, what’s up with Windows? Pretty simple. Attack surface. Despite the popularity of mobile devices by Apple and Google, Microsoft dominates the enterprise. Windows has 77% of the desktop OS market share, which is where most work gets done. That means the most return on investment for an attack comes from targeting Windows. As for, is it safe? I still think so. At least no more or less than anything else. Not much to gain from an unemployed worker using their own personal device. Other than perhaps intel on who they are talking to and hoping to infiltrate a future network. During the work from home state we are in, personal and organization devices coexist on the same network. However, I suspect this is really for those people looking for jobs while still employed. Not sure what those statistics looked like in 2020, but it is more common to look for a new job while still employed."