linkedin more eggs malware spearphishing

Image via Adobe Stock

More eggs? Hackers hatched a malware campaign using fake LinkedIn job offers

Experts describe the “more_eggs” spearphishing campaign as “very lethal”.

linkedin more eggs malware spearphishing

Image via Adobe Stock

It’s not easy looking for and finding work, especially not during a global pandemic. Hackers have now taken advantage of this dilemma and are targeting job hunters with the more_eggs malware on LinkedIn.

eSentire, a leading cybersecurity solutions provider, brought spearphishing campaign to light and are warning users on LinkedIn to be on the lookout for fake job offers.

Here’s what you need to know

More_eggs: Phishing campaign on LinkedIn

What is more_eggs malware?

The spearphishing incidents incorporate three elements, which according to eSentire’s research team, the Threat Response Unit (TRU), “make more_eggs […] very lethal”.

The malware campaign was hatched by a hacking group known as Golden Chickens. Yes, we know. The puns practically write themselves. Rob McLeod, Sr. Director of the TRU writes:

“What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals”.

McLeod explains that the three elements are as follows:

  1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
  2. Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
  3. Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.

What do the hackers want?

TRU cannot say for certain, but have confirmed that they successfully disrupted the operation. The team adds:

“What we do know is that this current activity mirrors an eerily similar campaign which was reported in February 2019, where U.S. retail, entertainment and pharmaceutical companies, which offer online shopping, were targeted.”

At the time, the “threat actors went after employees of these companies with fake job offers, cleverly using the job title listed on their LinkedIn profiles, in their communications to the employees.”

The more_eggs campaign is similar in many ways, such as the use of malicious email attachments. Once the target opens or clicks on the attachment, more_eggs malware is deployed.

LinkedIn responds

Gizmodo reached out to LinkedIn. The team acknowledged that “millions of people use LinkedIn to search and apply for jobs every day”, adding that “safety means knowing the recruiter you’re chatting with is who they say they are, that the job you’re excited about is real and authentic, and how to spot fraud.”

“We don’t allow fraudulent activity anywhere on LinkedIn. We use automated and manual defences to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site”.