Looking for a job on LinkedIn? Beware of hacking attacks

As the pandemic resulted in layoffs across the world, job searches on the Internet have increased disproportionately. Hackers are taking advantage of it, luring people with job offers and even using professional social media platforms like Linkedln. 

A recently published report by cybersecurity solutions provider eSentire, revealed that hackers are hiding malicious zip files in fake job offers. Once users download them, they launch a highly sophisticated phishing attack on their computers.

On April 5, eSentire announced that cybercriminals are even hiding malware in fake LinkedIn job offers. 

As per the report, the researchers of the Threat Response Unit (TRU) for eSentire discovered that a group of hackers have used fake job offers to attack business professionals on Linkedin via a backdoor Trojan malware, which enables hackers to remotely control the victim’s computer. Soon after the system’s security is breached, they send, receive, launch and delete files.

How does it work?

The emails first draw on each victim’s profile to create a convincing, personalised offer.  

Upon the victims’ opening of this fake offer, they might unwittingly initiate the stealthy installation of the fileless backdoor called more_eggs. There is no malicious file for an antivirus to detect. All the action takes place by subverting normal Windows processes and running scripts in memory. 

When it is loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer. The hacker group behind the stealthy installation then sells the backdoor under a malware- as- a- service (MaaS) arrangement to other cybercriminals.

Once more_eggs become active on the computer of victims, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.

Explaining the issue further, the company in its report said; “For example, if the LinkedIn member’s job is listed as Senior Account Executive — International Freight the malicious zip file would be titled Senior Account Executive — International Freight position (note the “position" added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs (a JavaScript malware)."

The risk posed by more_eggs to organisations and people

Senior director of the TRU, Rob McLeod said; “What is particularly worrisome about the more_eggs activity is that it has three elements which make it a formidable threat to businesses and business professionals”.

According to McLeod, more_eggs activity’s three formidable threats are:

1. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy. 

2. The inclusion of the target’s job position from LinkedIn in the weaponised job offer. This increases the odds that the recipient will detonate the malware. 

3. Since the start of the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.

"These elements make more_eggs, and the cybercriminals which use this backdoor are very lethal," he added.

Although the research team of eSentire has not found any solid evidence about the identity of the hacking group yet, the report indicated that as a service, the malware has been particularly used by three notable threat groups called FIN6, Cobalt Group and Evilnum.