Suppose a user’s job position on LinkedIn is listed as “senior product marketing manager”. In that case, the malicious file will utilize that same title with the word “position” at the end – in order to make the victim think they’re receiving a job offer for a relevant position. A very clever and custom phishing technique that especially plays to the COVID-19 job climate.
But when the victim opens the .zip file, they end up downloading the fileless backdoor “more_eggs”.
From there, the hackers can do anything they want – download additional malware with the intention of full system control, ransom or data exfiltration.
Unfortunately, anti-virus and automated security solutions don’t scan for this type of file because it executes on Windows via standard processes.
At this time, there is no attribution to this specific campaign. But “more-eggs” is typically sold by the threat hacker group Golden Chickens (yes, that’s their name) as malware-as-a-service (MaaS).
The MaaS has been used by notable groups FIN6, Cobalt Group and Evilnum.
This isn't the first time eSentire has seen an attack like this. According to the researchers, "...this current activity mirrors an eerily similar campaign which was reported in February 2019, where U.S. retail, entertainment and pharmaceutical companies, which offer online shopping, were targeted. The threat actors went after employees of these companies with fake job offers, cleverly using the job title listed on their LinkedIn profiles, in their communications to the employees. Similar to the current incident, they also used malicious email attachments and if the target clicked on the attachment, they got hit by more_eggs."
Stay vigilant and aware of these types of techniques on social media, and in particular, on LinkedIn.