A new spear phishing campaign leveraging LinkedIn users is using fake job offers to lure potential victims. The payload of the malicious operation is the more_eggs backdoor controlled by the Golden Chicken hackers.
According to eSentire security researchers, the phishing messages try to lure professionals on LinkedIn into opening a malicious .ZIP attachment. The file is named using the victim’s current job title, in an attempt to make it look legitimate.
“For example, if the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end),” the report explained.
More about the more_eggs backdoor
The more_eggs phishing operation consists of three elements making it a “formidable threat to businesses and business professionals.”
First of all, the backdoor utilizes Windows processes to run, making it rather hard to detect by anti-virus security solutions. In other words, the backdoor is “quite stealthy.” Thanks to the luring name of the malicious ZIP file (the professional’s job title, plus the “position” word), the chances of executing it are much higher.
Also, the attackers are smartly exploiting the number of unemployed people which has risen during the pandemic. “A customized job lure is even more enticing during these troubled times,” the researchers’ report noted. Not surprisingly, this is not the first phishing operating taking advantage of the COVID-19 pandemic. Last year, we reported that more than 300 phishing campaigns created to harvest personal and banking details from potential victims were circling the web.
The researchers are still uncertain of the end goal of the spear phishing operation. Fortunately, the activities associated with the more_eggs backdoor against LinkedIn users is now disrupted. It is noteworthy that this campaign is “eerily similar” to another spear phishing operating detected in February 2019, targeting retail, entertainment, and pharmaceutical employees in the U.S.
Other phishing campaigns against LinkedIn users
There have been numerous phishing campaigns targeting various professionals on LinkedIn. Another campaign attempted to trick users of the professional network to upload their CVs via luring emails titled “job openings for active LinkedIn users”.
CVs are usually abundant with sensitive personal information, including home addresses, email addresses, and phone numbers. The availability of personal information can lead to a variety of activities including promotional cold calling, identity theft, vishing attacks, further spear phishing attempts targeting employers or colleagues of targeted the user.