The Golden Chicken hacking group is targeting LinkedIn users with fake job offers to infect them with a sophisticated malware strain that can allow them to take control of victims’ computers.
These hackers spread the More_Eggs malware by spear phishing victims with a malicious .ZIP file using the victim's job as listed on LinkedIn, according to the security firm eSentire.
These files are titled to mirror the exact job title. For example, a user listing ‘Senior Account Executive International Freight’ as their job will be sent a malicious .ZIP file titled ‘Senior Account Executive - International Freight position’.
Once opened, victims initiate the stealthy installation of the More_eggs backdoor that can download additional malicious plugins and provide remote access to their device.
Golden Chicken sell the backdoor under a malware as a service (MaaS) arrangement to other cyber criminals, made possible by More_Eggs’ tendency to maintain a stealthy profile by abusing legitimate Windows processes.
Researchers with eSentire disrupted an active spear phishing incident in which a health tech professional downloaded and executed a malicious .ZIP file.
The researchers saw the victim unwittingly activate VenomLNK, an initial stage of More_Eggs that abused Windows Management Instrumentation to enable the plugin loader, TerraLoader. This, in turn, hijacks the cmstp and regsvr32 processes.
While TerraLoader is being initiated, a decoy Word document is presented to the victim to impersonate a job application but serves no functional purpose in the infection. This is simply a decoy that distracts the user from the background tasks of More_Eggs.
TerraLoader then installs msxsl in the user’s roaming profile and loads the payload, before signalling to a command and control (C&C) server through the copy of msxsl. This beacon then communicates that the More_Eggs backdoor is ready for Golden Chicken’s customer to log in and begin carrying out their goal.
Possibilities, depending on the group that More_Eggs is sold to on the MaaS model, include infecting with additional malware strains, such as ransomware, or getting a foothold into the victim’s network to exfiltrate data.
The eSentire researchers have so far been unable to determine what the ultimate purposes of this campaign might be, although it mirrors a similar campaign reported in February 2019 which also involved the More_Eggs backdoor.
