By abusing LinkedIn’s direct messaging service and pretending to be from a staffing company with an offer of potential employment, attackers then make a move to attempt to drop malicious payloads on victims’ devices.
The reason for the attack is to drop the More_eggs backdoor on unsuspecting victims, said researchers at Proofpoint.
“Initially the actor uses a fraudulent, but legitimately created LinkedIn profile to initiate contact with individuals at the targeted company by sending invitations with a short message,” researchers said in the post. “This appears as a benign email with the subject ‘Hi [Name], please add me to your professional network.’ ”
A few days later, hackers return with direct emails to the work address used on LinkedIn in order to direct targets to websites they claim to host more information on the job.
“The URLs link to a landing page that spoofs a real talent and staffing management company, using stolen branding to enhance the legitimacy of the campaigns,” researchers said. “The landing page initiates a download of a Microsoft Word file with malicious macros created with Taurus Builder. If the recipient enables macros, the “More_eggs” payload will be downloaded and executed. In other cases, the landing page may initiate the download of a JScript loader instead, but this intermediate malware still ultimately results in the delivery of More_eggs.”
By using sophisticated social engineering and stealthy malware, attackers are making their way into a range of campaigns by using LinkedIn scraping, multi-vector and multistep contacts with recipients, personalized lures, and varied attack techniques to distribute the More_eggs downloader, which in turn can distribute the malware of their choice based on system profiles transmitted to the threat actor.
“In response to the increasing effectiveness of layered defenses and end user education efforts, we can expect more threat actors to adopt approaches that improve the effectiveness of their lures and increase the likelihood of high-quality infections,” Proofpoint researchers said.