A new spear-phishing campaign is targeting professionals on LinkedIn with weaponed job offers in an attempt to infect targets with a sophisticated backdoor trojan called “more_eggs.”. The phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims’ job titles taken from their LinkedIn profiles.
“For example, if the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position,” cybersecurity firm eSentire’s Threat Response Unit (TRU) said in an analysis. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.”
Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown as yet, although more_eggs has been put to use by various cybercrime groups such as Cobalt, FIN6, and EvilNum in the past.
Once installed, more_eggs maintains a stealthy profile by hijacking legitimate Windows processes while presenting the decoy “employment application” document to distract targets from ongoing background tasks triggered by the malware.
It can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim’s network so as to exfiltrate data.
Its another indication of how threat actors are constantly tweaking their attacks with personalized lures in an attempt to trick unsuspecting users into downloading malware.