According to researchers at eSentire, “Golden Chickens” is a fake and menacing group, which is targeting professionals with fake job offers on LinkedIn, delivering the File less backdoor more_eggs through a spear-phishing campaign.
The group is highly trained and using a variety of techniques for malicious purposes. First of all, they get hold of all the information of the victim through their data mainly consisting of the job title. Synonymous words like “position” are utilized to fool the victim. They send phishing emails to victims and attempt to trick the job seeker into clicking into a malicious ZIP file, by adding phrasal words at the end of the job seeker’s current job title. All this just to disguise themselves as the most legal offer.
As soon as the victim opens the faux career offer, he/she unconsciously starts the stealthy installation of Fileless backdoor, more_eggs. To consider it as an example; suppose if a LinkedIn user’s work is shown as a “Senior Account Executive–international freight”; the malicious ZIP file following the additional “position” phrase would be entitled as “Senior Account Executive—International Freight position”.
Reports have shown that once this malicious ZIP file is downloaded, far more_eggs can fetch further malware and get hold of the victim’s program. eSentire reported that Extra_eggs as malware-as-a-provider being provided by The Golden Chickens to other cybercriminals, who use it for a number of malicious purposes, such as:
- To get a foothold in victim’s devices
- To install other varieties of malware
- To install banking malware
- To install credential stealers
- To install ransomware
- To exfiltrate knowledge
a) More–eggs Trojan: A daunting hazard
According to reports, McLeod, eSentire’s Threat Response Unit Director, pointed out the three particular features of the more_eggs Trojan, that makes it a highly scammed menace, and a “formidable threat to business and business professionals.”
- It malfunctions with the normal Windows processes to avoid antivirus protections
- The personalized spear-phishing emails are utilized in enticing victims to click on the fake job offer
- Taking advantage of the midst of a global pandemic and unexplainable unemployment rates, the malware tends to exploit desperate job hunters
Groups FIN6, Cobalt Group, and Evilnum have been observed by researchers, which all have used more_eggs malware, for their malicious purposes. eSentire has not been able to pinpoint the group behind more_eggs.
b) Extra_Eggs Hazard for Service
The trend of using more_eggs malware is not new. In the past, too similar techniques were used to fool people. In 2019, e-commerce was targeted using more_eggs malware by financial threat gang FIN6. eSentire researches have not as yet directly linked to FIN6, but it is a prediction to be done. Because, simultaneously, hackers utilized more_eggs to split retail, entertainment, and pharmaceutical companies’ online payments systems.
Their campaign’s target is not only unemployed individuals but the employed ones too, to gain access to their sensitive data. Other groups like Evilnum like to attack financial tech companies to steal their data, such as spreadsheets, customer lists, and trading credentials, while Cobalt Group is mainly focused on targeting financial companies with the more_eggs backdoor.
c) Protective Measures
According to researchers, when it comes to attacking, the stimulation is vague.
While discussing it with Threatpost, the Chief Information Officer (CIO) of Netenrich, Chris Morales said:
“Not much to gain from an unemployed worker using their own personal device”
“Other than perhaps intel on who they are talking to and hoping to infiltrate a future network. During the work-from-home state we are in, personal and organization devices coexist on the same network.”
The eSentire is hot on the more_eggs LinkedIn attack’s heels, whenever it goes on to harm someone, in the health care technology sector, as stated in the report. While talking to Threatpost, Chris Hazelton, with mobile security provider Lookout stated that the sufferer that said was likely plumped, so that cybercriminals could gain access to an organization’s cloud infrastructure, with a potential ambition of exfiltrating tactful information regarding the intellectual property or even infrastructure-controlling medical devices.
Furthermore, he said:
“Connected devices, particularly medical devices, could be a treasure trove for cybercriminals.”
Morales added that to get away with the deal. The entire LinkedIn community should be looking out for the spear-phishing frauds.
Lastly, he said:
“Targeting LinkedIn is not rocket science. It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too and always look for that.”