Hackers have abused LinkedIn messaging to target US companies with the More_eggs backdoor.
Employees of US companies that use shopping portals and similar payment systems have been made the prime targets of a series of malware campaigns, in which hackers push the More_eggs backdoor via fake job offers being sent via LinkedIn.
About More_eggs
More_eggs, which was initially identified and explained by Trend Micro researchers in 2017, is a JavaScript-based backdoor which allows hackers to control the compromised machines remotely and also helps them drop extra malware payloads on targeted systems and attached networks. Cybercriminals have been using the More_eggs backdoor in many malicious campaigns, especially those targeting financial organizations, ATM manufacturers etc.
The current campaign
In the current campaign involving More-eggs, which happens to be a phishing campaign, the hackers execute their initial contact abusing the LinkedIn direct messaging service. The phishing happens using a legitimate LinkedIn account, from which the target is sent a LinkedIn profile adding request.
The Proofpoint Threat Insight team that observed and studied this campaign details it in a blog post, which says, “Initially the actor uses a fraudulent, but legitimately created LinkedIn profile to initiate contact with individuals at the targeted company by sending invitations with a short message. This appears as a benign email with the subject “Hi [Name], please add me to your professional network”.”
Following this initial contact via LinkedIn, the attacker would, within a week’s time, send a direct email to the target employee’s work address and using the target’s professional title (as on LinkedIn) as the subject. This direct email would remind the recipient of the communication via LinkedIn, beginning, “Hi, I contacted you on Linked In recently”. The email, which would be signed by some HR manager (fake), would have within its body or within the attached PDF document a URL that would redirect the target to a webpage, which in fact would be a spoofed one. The landing page spoofs a genuine talent and staffing company’s page; it would even sport stolen branding, thereby making it look genuine. This fake landing page would initiate the download of an MS Word document that’s created using the Taurus Builder tool; if the target enables macros, this MS office document would attempt to download and execute the More_eggs payload. In other cases, the fake landing page may initiate the download of a JScript loader instead, leading to the delivery of More_eggs.
The Proofpoint researchers have noticed that the hackers behind the campaign have been changing delivery methods very frequently. They would sometimes, as already explained, use a URL linking to a landing page that would initiate the download for an intermediate JScript loader or Microsoft Word document with macros or exploits. They might also use a URL shortener that redirects the target to the same fake landing page. Sometimes, it would be a PDF attachment with a URL linking that does the redirect and sometimes they would use password-protected MS Word attachment with macros to download More_eggs. In some cases, they would even send benign emails without any URL or attachment to establish a rapport with the target.
By infecting targeted systems with the More_eggs backdoor, the hackers manage to customize their infection process and even bypass the defenses that are already in place in the targeted systems, thereby making the campaign very successful.