‘Fake Jobs’ phishing campaign targets US employees with More_eggs backdoor

• Attackers first make initial contact with targets via LinkedIn’s direct messaging service and then send phishing emails that include malicious attachments or malicious URLs to deliver the More_eggs backdoor.
• The attackers behind these ‘Fake Jobs’ phishing campaign use multiple malware delivery methods to drop the More_eggs backdoor payload onto targets' computers.

A new phishing campaign delivering the More_eggs backdoor via ‘fake jobs offer’ phishing emails are targeting employees of US companies which use shopping portals and similar online payment systems. The phishing emails purport to be from staffing companies offering employment.

The big picture

• Attackers first make initial contact with targets via LinkedIn’s direct messaging service using a legitimate LinkedIn account.
• They then send ‘job offers’ phishing emails to the targets’ work email addresses reminding the targets about their prior communication on LinkedIn.
• The attackers use targets’ job designation stated in LinkedIn as the email subject
• The body of the phishing emails includes malicious attachments or malicious URLs to deliver the More_eggs backdoor.
• The malicious attachments or links redirects the targets to a spoofed talent and staffing management company page, using stolen branding to enhance the legitimacy of the emails.
• The landing page will then autostart the download of a decoy Microsoft Office document with malicious macros created using the Taurus Builder tool.
• If the targets enable macros, the More_eggs payload will be downloaded and executed.

Worth noting - The attackers behind these ‘Fake Jobs’ phishing campaign use multiple malware delivery methods and various techniques to drop the More_eggs backdoor payload onto targets' computers.

• URL linking to a landing page that initiates the download for an intermediate JavaScript loader or Microsoft Word document with macros or exploits
• URL shortener redirecting to the same landing page
• PDF attachment with a URL linking to the same landing page
• Password-protected Microsoft Word attachment with macros that download More_eggs backdoor
• Completely benign emails without a malicious attachment or URL attempting to further establish rapport.

“This actor provides compelling examples of these new approaches, using LinkedIn scraping, multi-vector and multistep contacts with recipients, personalized lures, and varied attack techniques to distribute the More_eggs downloader, which in turn can distribute the malware of their choice based on system profiles transmitted to the threat actor,” ProofPoint researchers noted in a blog.