The global economy has been seriously upset by the Covid-19 pandemic and the aftershocks can still be felt through many industries and sectors. A lot of people lost their jobs in the shifting conditions and, logically, a lot of them went on LinkedIn to look for new opportunities.
Bad actors are always on the lookout for new opportunities as well, and they saw this influx of LinkedIn hits as one such opportunity. Security researchers working with detection and response cybersecurity company eSentire recently reported a new phishing campaign that was targeting LinkedIn users with sneaky and dangerous malware.
Fileless Malware Poses Significant Threat
According to eSentire experts, the threat group behind the new campaign is called Golden Chickens. The malware they use in this new phishing campaign delivered through LinkedIn messages is, fittingly, called "more_eggs".
More_eggs is a fileless malware that abuses legitimate Windows processes and feeds them functions and specific instructions stored in scripts. This makes it particularly difficult to detect.
Another notable thing about this campaign is that it is not like most blanket phishing attempts, where millions of emails are sent out to potentially millions of active users. The approach used here is much more targeted and can be called spear phishing - an attack that uses visually credible names and approaches that are much more likely to lure in the victim and get them to click the malicious file.
The messages sent to LinkedIn users inboxes were very specific and contained the real job they last occupied, together with the word "position" appended at the back, implying a real job offer for the same spot. This alone makes for a very believable lure and it seems this targeted approach is working.
The malicious file used by more_eggs is a zip that, once opened, quietly deploys the malware. Once infected, the system is open to the thread actors behind the malware and additional malicious payloads can be downloaded and deployed remotely.
"Malware-as-a-service" Makes a Return
This recent more_eggs campaign is also not conducted by the Golden Chickens group itself. eSentire informs that the threat actor is rather selling or licensing out the malware to third party bad actors and operating it as a service. This concept is not revolutionary or new but the fact that big threat actor names such as Colabt Group are using more_eggs shows that it is working well for the hackers.
The experts working with eSentire singled out a number of threat indicators specific to more_eggs. Those include the C&C beacon, the zip file's hash and the download server used by more_eggs:
- C&C beacon: d27qdop2sa027t.cloudfront[.]net
- Zip file hash: 776c355a89d32157857113a49e516e74
- Server: ec2-13-58-146-177.us-east-2.compute.amazonaws[.]com