"For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end)," cybersecurity firm eSentire's Threat Response Unit (TRU) said in an analysis. "Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs."
Campaigns delivering more_eggs using the same modus operandi have been spotted at least since 2018, with the backdoor attributed to a malware-as-a-service (MaaS) provider called Golden Chickens. The adversaries behind this new wave of attacks remain unknown as yet, although more_eggs has been put to use by various cybercrime groups such as Cobalt, FIN6, and EvilNum in the pas
Once installed, more_eggs maintains a stealthy profile by hijacking legitimate Windows processes while presenting the decoy "employment application" document to distract targets from ongoing background tasks triggered by the malware. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim's network so as to exfiltrate dat
Trojans like More_eggs can be a significant threat to users' privacy and computer safety. These trojans are often used to inject systems with additional malware, such as data-tracking trojans, ransomware, cryptominers, and so on. Data-tracking infections record keystrokes, saved logins/passwords, banking details, and other similar personal data. Cyber criminals attempt to generate as much revenue as possible. Therefore, they can misuse hijacked accounts to steal victims' savings and even identities. Ransomware compromises data (usually by encryption) and makes ransom demands in exchange for recovery of the system. Note that cyber criminals cannot be trusted. Whatever the cost, never agree to pay, since you will be scammed.
Cryptomining applications misuse infiltrated systems to mine cryptocurrency without users' consent. Cryptomining can take up to 100% of system resources, thus making the system unstable (it can crash) and virtually unusable (it barely responds). Furthermore, fully-loaded hardware generates excessive heat. Therefore, within certain circumstances (e.g., high room temperatures, bad cooling systems, etc.), system components can overheat and be permanently damaged.
If anything, the latest development is yet another indication of how threat actors are constantly tweaking their attacks with personalized lures in an attempt to trick unsuspecting users into downloading malware.
"Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment," the researchers said. "Thus, a customized job lure is even more enticing during these troubled times."
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings