According to cybersecurity firm eSentire's Threat Response Unit (TRU), the phishing lures follows a malicious ZIP archive file that has the same name as that of the victim's job titles taken from their LinkedIn profile. And once the fake job offer is opened, the victim has unwittingly initiated the stealthy installation of the fileless backdoor.
The backdoor upon execution can download additional malicious plugins and provide hands-on access to the victim’s computer and the threat group behind more_eggs, Golden Chickens, are known to sell the backdoor under a malware-as-a-service(MaaS) arrangement to other cybercriminals.
How More_Eggs Attacks are targeted at Professionals on LinkedIn
The TRU team analysis shows that the targets were professionals working in the healthcare technology industry, which upon downloading and executing the alleged job file, the victim unwittingly executed VenomLNK, an initial stage of more_eggs.
VenomLNK enables the malware’s plugin loader, TerraLoader, which then hijacks legitimate Windows processes, cmstp and regsvr32 by abusing Windows Management Instrumentation. With TerraLoader initiated, which is a decoy word document presented to the victim, designed to impersonate a legitimate employment application; but it serves no functional purpose in the infection.
Then, TerraLoader will install msxsl in the victim’s roaming profile and loads the payload, TerraPreter, which is an ActiveX control (.ocx file) downloaded from Amazon Web Services, as TerraPreter begins to beacon to a Command & Control server (C2) via the rogue copy of msxsl.
This signals that the more_eggs backdoor is ready for the threat group’s customer to gain access and carry out their malicious activities, whether it is to infect the victim with additional malware, such as ransomware, or getting a foothold into the victim’s network so as to exfiltrate data.
Risks posed by More_Eggs Backdoor to Organizations and Professionals
The threat actors went after employees of the healthcare technology sector with fake job offers, and cleverly using the job title listed on their LinkedIn profiles, in communications to the employees. They also used malicious email attachments which if the target clicked on the attachment, they'll get their system infected with more_eggs.
While the TRU team don't know for certainty what the end game is for this campaign, but what is clear is that this current activity mirrors an eerily similar campaign which was reported in the U.S. retail, entertainment and pharmaceutical companies in February 2019, where online shopping, were targeted.
Coincidentally, the hacking group, Evilnum is also known to spearphish employees of companies they are targeting by enclosing malicious zip files, which upon execution, gets the employees hit with the more_eggs backdoor, along with other malware.