LinkedIn Direct Messages Exploited Via “more_eggs” Backdoor

It hasn’t been that long since we reported phishing campaigns targeting Facebook users. Now, however researchers have discovered another such campaign. But, this time, the victim appears to be the professional network – LinkedIn. Allegedly, the attackers exploit the LinkedIn direct message feature to tempt users into opening said message. Consequently, they attempt to deliver the more_eggs backdoor to the victim machine.

Phishing Campaign Spreads Fake Job Offers Via LinkedIn DM

Researchers at Proofpoint have come across a phishing campaign that exploits LinkedIn’s direct message feature. LinkedIn is a popular social networking site promoting professional connections. It serves a combined platform for job seekers, recruiters, and employers to strengthen professional relationship and employment. Perhaps, this is what the attackers abuse in this phishing attack.

As disclosed in a blog post by Proofpoint, the threat actors began the phishing attack via LinkedIn DM by sending fake job offers. They then reach the recipient users by emails as follow-up reminders. These emails contain malicious URLs that redirect the victims to legit-looking websites. In some cases, the attackers may send PDF attachments that contain malicious links.

Upon reaching the spoofed website, the landing page asks the visitor to download an MS Word file. Once done, the “more_eggs” payload reaches the victim’s device. As elaborated by Proofpoint,

“The landing page initiates a download of a Microsoft Word file with malicious macros created with Taurus Builder. If the recipient enables macros, the “More_eggs” payload will be downloaded and executed. In other cases, the landing page may initiate the download of a JScript loader instead, but this intermediate malware still ultimately results in the delivery of More_eggs.”

More_eggs is known malware first documented by Trend Micro. The malware predominantly acts as Jscript loader to download more payloads. Besides, it also aids the attackers in profiling the target machines.

LinkedIn Users Must Stay Vigilant

The researchers explain that the phishing campaign comes with a lot of variations with regards to the payload delivery method. They may either use Microsoft Word file with macros, a PDF file with malicious links, direct URLs that trigger JScript loader download, URLs asking users to download malicious MS Word files, or URL shorteners redirecting to the attackers’ website.

However in some cases, the attackers may not deliver the payload directly, as the researchers stated on this social engineering strategy, the attackers may prefer,

“Completely benign emails without a malicious attachment or URL attempting to further establish rapport.”

Nonetheless, the end result remains the same in all cases – the delivery of more_eggs.

LinkedIn users actively communicate with each other via direct messages regarding job offers. And that’s what the criminal hackers exploit with this phishing campaign. Therefore, users must remain extremely cautious while responding to job offers. Make sure to review the sender’s profile thoroughly. Look for the company’s existence and reviews via simple Google search. And if you receive any emails with links, think twice or thrice before clicking on it. Lastly, do not download any attachments attached in the emails or via a website. Most reputed employers never ask you to download a pdf or word file to know the job description. If a vacancy is legit, you would probably find it on a job portal as well.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients