Fake LinkedIn job offers scam spreading More_eggs backdoor

According to researchers, threat actors are using zip files to trick LinkedIn users into executing the More_eggs backdoor.

According to researchers, threat actors are using zip files to trick LinkedIn users into executing the More_eggs backdoor.

Microsoft-owned social media for professionals LinkedIn has over 740 million users from 200 countries around the world. This makes it a lucrative target for cybercriminals. In the latest, LinkedIn professionals are being targeted by a phishing campaign that drops More_eggs backdoor.

The Threat Response Unit (TRU) at eSentire, a Waterloo, Ontario-based cybersecurity firm has discovered an ongoing fake jobs spearphishing scam that is infecting the computer systems of LinkedIn users with dangerous and nasty More_eggs backdoor.

How More_eggs backdoor spreads?

In February 2020, Checkpoint researchers reported how attackers were using More_eggs backdoor to target anti-money laundering officers and abused LinkedIn’s messaging services to offer fake job opportunities to spread the malware.

SEE: Hackers set up fake cybersecurity firm to target reaserchers

At that time, attackers posed as staffing companies to send compromised and malicious website links to job seekers and later followed up via emails. In both cases, the aim was to infect victims’ devices with the More_eggs backdoor to steal data.

However, this time, according to eSentire’s blog post, threat actors are using zip files to target victims based on the job description on their LinkedIn profile.

If the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position, eSentire explained.

Once the zip file is opened the victim’s device gets infected with the More_eggs backdoor which is currently targeting Windows devices.

Upon infection, the malware takes full control of a targeted system allowing hackers to remotely use it for malicious purposes including sending, receiving, deleting, and executing files.

Word document which poses as an employment application which is served up to the business professional once they download the zip file which alleges to be a job offer. (Image via: eSentire)

Risk of ransomware infection

Additionally, hackers can also drop new malware on the system that can be trigger ransomware infection ultimately locking victim’s files and demand ransom for decrypting keys. Researchers warn that the More_eggs backdoor can also exfiltrate data from a device putting your social media accounts, emails, browsing history, cryptocurrency wallets at risk of being stolen.

“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire in a report shared with Hackread.com.

SEE: Leaked LinkedIn Database used in hacking Zuckerberg’ Twitter

Those three elements include the following:

  1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
  2. Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
  3. Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.

Why LinkedIn users?

LinkedIn is home to 740 million users from almost every known profession including sensitive ones like scientists, military, law enforcement, defense, airlines, banking/finance, and politics, etc. For cybercriminals and state-backed hackers, access to a computer system used by any of these professionals is a goldmine for making quick cash by selling its access to other criminals or use it for surveillance to steal secrets or sensitive data.

What should LinkedIn users do?

First and foremost refrain from clicking on links sent by people on social media especially from unknown and anonymous users. If you are being forced to click on zip or executable file you should avoid it at all costs however if you have already downloaded a file make sure to scan it with a reliable anti-malware.

Furthermore, you can also scan for malicious links and files on VirusTotal. Either way, your security is in your hand. Hackread.com strongly recommends learning about cybersecurity and threats that surround us once connected to the Internet.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts