eSentire researchers alert that LinkedIn users are being targeted in a spearphishing campaign that drops a backdoor Trojan. Threat actors distribute zip files in fake jobs, while the files contain the More_eggs backdoor.
eSentire, an Ontario-based cybersecurity firm that discovered this ongoing campaign, says the current campaign, while similar to the 2020 campaign Checkpoint researchers reported that also used More_eggs backdoor, is different because this time threat actors distribute malware in zip files to target victims whom they choose based on the job description on their LinkedIn profile. However, in both cases, the hacker’s goal was to infect victims’ devices with the More_eggs backdoor to exfiltrate data.
In February 2020, Checkpoint reported how attackers were using More_eggs backdoor to target anti-money laundering officers and contacted targets via LinkedIn’s messaging services to offer fake job opportunities that spread malware.
This time, the backdoor was in zip files that contain an employment application in Word format that once opened would infect the victim’s device with More_eggs.
It is currently targeting Windows devices, according to the researchers, and can take full control of the victim’s computer. This allows hackers to send, receive, delete, and open files. More_eggs can also exfiltrate data, researchers warn, which may include social media accounts, emails, browsing history, cryptocurrency wallets, etc.
Hackers also dropped additional payloads on the target system that ultimately locked the victim’s files. Attackers then demanded ransom for decrypting the data.
“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals,” said Rob McLeod, Senior Director of the Threat Response Unit (TRU) for eSentire.
According to researchers, the malware is hard to detect because it uses normal Windows processes to run and so anti-virus and automated security solutions would not pick it up.