The Threat Response Unit (TRU) at eSentire, a Waterloo, Ontario-based cybersecurity firm, has discovered an ongoing fake jobs spear-phishing scam that is infecting the computer systems of LinkedIn users with the dangerous and nasty More_eggs backdoor. Currently, attackers are posing as staffing companies to send compromised and malicious website links to job seekers via LinkedIn messages, and later followed up via emails. The aim is to infect victims’ devices with the More_eggs backdoor to steal data. According to eSentire’s blog post, threat actors are using zip files to target victims based on the job description on their LinkedIn profile. For example, if a LinkedIn member’s job is listed as Senior Account Executive-International Freight, a malicious zip file titled Senior Account Executive-International Freight position would be delivered to the user. If the zip file is opened on a Microsoft Windows device, the victim’s device gets infected with the More_eggs backdoor. Upon infection, the malware takes complete control of a targeted system allowing the attackers to remotely use the system for malicious purposes. With this malware, attackers can also drop ransomware onto a system to encrypt the system and if available, spread it across an organization’s network. With this malware targeting LinkedIn users, this could be a treasure trove for attackers as their intended victims are generally with some sort of professional organization.
Intro The Binary Defense threat hunting team are experts on today’s threat actor groups. In