Beware of New “more_eggs” Attack Targets Linkedln Users With Fake Job Offers

Hackers spear-phishing business professionals on LinkedIn with fake job offers and infecting them with malware warns eSentire.

eSentire, a leading cybersecurity solutions provider, is warning enterprises and individuals to beware of a new spear-phishing attack with fake job offers to infect them with a sophisticated backdoor Trojan.


Backdoor trojans give threat actors remote control over the victim’s computer, allowing them to send, receive, launch and delete files.

New Spear Phishing Attack

eSentire’s research team, the Threat Response Unit (TRU), revealed that hackers are spearphishing victims with a malicious zip file using the job position listed on the target’s LinkedIn profile.

For example, if the LinkedIn member’s job is listed as Senior Account Executive, International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end).

Upon opening the fake job offer, the victim without knowing initiates the stealthy installation of the fileless backdoor, more_eggs. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer.

The threat group behind more_eggs, Golden Chickens, sell the backdoor under a malware-as-a-service(MaaS) arrangement to other cybercriminals.

Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network to exfiltrate data.

An outline of how the more_eggs backdoor behaves once it is initiated by the victim
Word document which poses as an employment application which is served up to the business professional once they download the zip file which alleges to be a job offer.

What Risk Does More_Eggs Backdoor Pose to Organizations and Business Professionals?

“Three elements which make it a formidable threat to businesses and business professionals,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire. They are:

  • It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy.
  • Including the target’s job position from LinkedIn in the weaponized job offer increases the odds that the recipient will detonate the malware.
  • Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times.

As yet, the TRU team has not discovered forensics indicating the identity of the hacking group which is trying to spearphish the LinkedIn members. Still, this malware-as a service has been used by three notable threat groups: FIN6, Cobalt Group, and Evilnum.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.