A new wave of malware and spyware attack is underway, and it appears to be highly successful. Hackers are preying on job seekers who have registered on LinkedIn, using ‘More_Eggs’ malware.
Using the simplest form of spearfishing attacks, malicious code writers are infecting the computers of several LinkedIn users. Hackers rely on snippets of information they capture on the openly available LinkedIn profiles.
Hacking group Golden Chickens sending fake job offers laced with malware to LinkedIn users:
A new hacking campaign is reportedly taking advantage of jobseekers to hack company networks. Security firm eSentire has observed multiple instances of spearfishing attacks that were supposedly successful.
The security firm has identified the main group behind the new hacking campaigns. Called the Golden Chickens, this group of malicious code writers is even offering its services to other groups.
Malware-laced job offers are being sent via LinkedIn in a new phishing scam. Security firm eSentire recently published a report detailing how hackers connected to a group dubbed “Golden Chickens” have been waging a malicious campaign. pic.twitter.com/AXSTcMT8b7
— Daballoti ❁ (@heydaballoti) April 7, 2021
The hacking group’s methodology is surprisingly simple and highly effective. The group collects simple identifiers and tags along with other contact information from LinkedIn profiles.
The hackers then craft an email with the tags and identifiers. They hide their malicious payload inside a ZIP file that has the title of the key identifier or tag word the job seeker is using.
eSentire discovers new attacks from Golden Chickens, the group and operators of a Malware-as-a-Service portal behind the more_eggs backdoorhttps://t.co/j4JQ0zjhwK pic.twitter.com/J8lC4eFUmM
— Catalin Cimpanu (@campuscodi) April 5, 2021
As soon as the unsuspecting jobseeker attempts to open the ZIP file to access its contents, the file activates the trojan virus. The virus reportedly installs the ‘More_Eggs’ trojan on the victim’s PC.
According to the security firm that discovered the new hacking campaign, the “More_Eggs” virus is capable of granting Shell, Root, or Administrative access and privileges. Needless to mention, using this privileged access, hackers can further their campaign and look for more vulnerabilities or access points to exploit.
Hacking group offering their ‘More_Eggs’ hack as malware-as-a-service:
The ‘More_Eggs’ creators are looking for additional revenue streams. Hence, they are offering their hack as malware-as-a-service to any criminal who wants to hack a target, claimed Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire.
“In the current economic climate, this kind of phishing attempt is likely to be much more effective than otherwise”.
Once a machine has been infiltrated, hackers can install even more malware, from ransomware to credential stealers.
“The Golden Chicken hacking group is targeting LinkedIn users with fake job offers to infect them with a sophisticated malware strain that can allow them to take control of victims’ computers. ” https://t.co/B6xWrqNbes
— Octree Limited (@octreelimited) April 6, 2021
Rob explained the seriousness of the Trojan:
- It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
- Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
- Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.
The attack doesn’t appear to be focused, yet. Moreover, the security research and counteroffensive cybersecurity teams have indicated they have managed to disrupt the attack.
The ‘More_Eggs’ malware seems to follow a similar pattern of an attack on U.S. retail, entertainment and pharmaceutical companies, which offer online shopping. Back in 2019, attackers had sent fake job offers to employees, using the job title listed on their LinkedIn profiles.