MSSP eSentire says hackers have used LinkedIn profiles for spearfishing

Threat actors are taking advantage of the LinkedIn profile to target victims with fake job offers that lead to backdoor installation, warns a Canadian managed security service provider.

Victims who click the link to the job offer are believed to be able to set up a backdoor known as "more_ beggars", which can give a hacker remote control to the victim's computer, allowing them to access files Allows sending, receiving, launching and deleting. ESentire based in a blog released this morning.

The attack described by ESentire researchers works this way: A threat actor finds a target on LinkedIn and creates a malicious zip file attachment to the target's current job name. For example, if a person's job is listed as "Senior Account Executive-International Freight", the malicious ZIP file will be titled "Senior Account Executive-International Freight Status".

Currently, the goal is to ensure the filename of the attachment so that the victim clicks on it. When they do, a Microsoft Word job application form is downloaded by asking specific questions (name, address, status, social security number, education and so on).

However, opening the document initiates a process that leads to the installation from the theft of a useless backdoor called "more_eggs". Once loaded, the sophisticated backdoor can download more malicious plugins and provide hands-on access to the victim's computer. Common Windows processes are used to run it, so it is unlikely to be picked up by anti-virus and automated security solutions.

The ESentire report states that the incident detected is similar to the one described by Proof Point in 2019. In that report, Proof Point stated that the threatened actor used malicious attachments and set up fake websites that impose legitimate staffing companies. It also used the same LinkedIn direct mail capability intended to establish synergy with the victim.

contributing factors

Since the COVID epidemic, the unemployment rate has increased dramatically, providing a perfect time for those desperate to find employment to benefit. Thus, the greed for a customized job is even more enticing during these troubled times, eSentire explains.

More_eggs Backdoor (also known by some researchers as Terra Loader and Spiceomlet) is a product of a well-known Malware-as-Service Threat group called Golden Chickens. As a result of renting the back door to qualified hackers, in this particular event eSentire cannot be sure who the threat actor was. The report notes that FIN6, the Cobalt Group and Avilnum groups are known to use Golden Chickens' offerings.

The intended victim worked in the healthcare sector in an attempt by ESentire.

Behind the scenes of the attack

In the initial phase of the attack, opening the infected document started downloading Venomellenke, which misuses Windows Management Installation (WMI). It is a capability that allows administrators to manage various installations and configurations. In turn, VenomLNK enables TerraLoader, a loader of malware. It hijacks valid Windows processes, cmstp (a connection management process) and regsvr32 (an installation utility that registers a dynamic link library and an ActiveX control).

TerraLoader then loads the payload, TerraPreter, an ActiveX control from an AmazonX web server server. At this point, TerraPreter starts connecting to a command and control server, ready to log the Golden Chicken client from the backdoor and accomplish its goals.