A group, known as Golden Chicken, is carrying out attacks on the social network LinkedIn by putting fake job offers whose sole purpose is to infect you with Trojans backdoor type.
As eSentire explains, the attackers send a Malicious zip file using job title listed on LinkedIn profile Of the objective. That is, if you are a Senior Account Executive, the malicious zip file would be named “Senior Account Executive position”.
If this file is opened, the victim unknowingly initiates the installation of a backdoor named more_eggs. Once loaded, this backdoor can download other malicious files and make it easier to access your computer of the victim.
Malware as a Service
The group behind more_eggs is Golden Chickens and, according to eSentire, is dedicated to sell this backdoor as Malware as a Service (MaaS) to other cybercriminals. Once more_eggs is on the victim’s computer system, Golden Eggs “clients” can infect the machine with any type of malware.
The most dangerous thing about this attack is the fact that the malware runs in stealth mode and uses normal Windows processes to run. This may not even cause the antivirus program to detect it.
It should be noted, however, that those who have discovered this attack also assure that the campaigns using MaaS do not seem very numerous and that, furthermore, they are selective. In any case, there is forensic evidence that this malware as a service has been used by three groups: FIN6, Cobalt Group y Evilnum.
Some “old acquaintances”
These three organized groups are “old acquaintances” in the security world. FIN6 is a group of financial computer crimes that mainly steal payment card data and sells them in clandestine markets.
Meanwhile, Evilnum is best known for engaging fintech firms, companies that provide stock trading tools and platforms. Its objective is the financial information on the fintech companies and their clients.
For its part, The Cobalt Group is known for going after financial companies, and has repeatedly used the more_eggs backdoor in its attacks.
It seems that at the moment the professional group most affected by this attack could be those that work in the health technology industry.
In any case, It is not the first time that this type of attack has been recorded, since in February 2019 a similar campaign was also detected, but aimed at the United States retail sector.