That job offer on LinkedIn is bogus – the zip file will set you up with an open back door for attackers
A group, known as Golden Chicken, is carrying out attacks on the social network LinkedIn by putting fake job offers whose sole purpose is to infect you with Trojans rear door type (backdoor).
According eSentire explains, the attackers send a Malicious zip file using job title listed on LinkedIn profile Of the objective. That is, if you are a Senior Account Executive, the malicious zip file would be named “Senior Account Executive position”.
If this file is opened, the victim unknowingly initiates the installation of a backdoor named more_eggs. Once loaded, this backdoor can download other malicious files and make it easier to access your computer of the victim.
Malware as a Service
The group behind more_eggs is Golden Chickens and, as eSentire explains, is dedicated to sell this backdoor as Malware as a Service (MaaS) to other cybercriminals. Once more_eggs is on the victim’s computer system, Golden Eggs “clients” can infect the machine with any type of malware.
The most dangerous thing about this attack is the fact that the malware runs in stealth mode and uses normal Windows processes to run. This may not even cause the antivirus program to detect it.
It should be noted, however, that those who have discovered this attack also assure that the campaigns using MaaS do not seem very numerous and that they are also selective. In any case, you have forensic record about what this malware as a service has been used by three groups: FIN6, Cobalt Group y Evilnum.
Some “old acquaintances”
These three organized groups are “old acquaintances” in the security world. FIN6 is a group of financial computer crimes that mainly steal payment card data and sells them in clandestine markets.
Meanwhile, Evilnum is best known for engaging fintech firms, companies that provide stock trading tools and platforms. Its objective is the financial information on the fintech companies and their clients.
For its part, The Cobalt Group is known for going after financial companies, and has repeatedly used the more_eggs backdoor in its attacks.
It seems that at the moment the professional group most affected by this attack could be those working in the healthcare technology industry.
In any case, It is not the first time that this type of attack has been recorded, as a similar campaign was also detected in February 2019, but aimed at the retail sector in the United States.