There is a worrying spearphishing campaign taking place on LinkedIn at the moment that you should take note of if you happen to be hunting for a new job.
The campaign was discovered by eSentire, a cybersecurity solutions provider which claims that a hacking group known as Golden Chickens is selling a backdoor Trojan known as more_eggs.
So how does this work?
Let’s say that you have the current title of Senior Account Executive – International Freight. A ne’er-do-well would send a .zip file to you with the name Senior Account Executive – International Freight position.
If you were to download that file you would also install more_eggs which opens a backdoor and allows the installation of yet more malware.
“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals,” explains senior director of the Threat Response Unit at eSentire, Rob McLeod.
Those three elements are as follows:
- The malware uses normal Windows processes to run and is unlikely to be detected by anti-virus and security solutions.
- Including the target’s position in the malicious file means they are more likely to open the file.
- Job offers are incredibly tempting right now given the mass lay-offs brought about by the ongoing pandemic.
“These three elements make more_eggs, and the cybercriminals which use this backdoor very lethal,” added McLeod.
Three major cybercriminal groups are suspected of making use of more_eggs all of which are active in the financial sector. Those groups are FIN6, Evilnum and Cobalt Group. All three of these groups have a history of targeting financial firms. If these groups are indeed paying Golden Chicken for more_eggs, there is cause for concern.
While more_eggs has been around for at least three years, using data scrapped from LinkedIn is a novel approach.
If you receive a job offer in the form of a .zip file treat it with caution. Pick up the telephone and call the company that is sending the offer and find out if it is legit.
It also goes without saying, don’t open job offers at work, if you happen to download more_eggs, you might need to go in search of a legitimate offer.