The method of delivery always starts with an initial contact via LinkedIn’s direct messaging service using a legitimate LinkedIn account, followed by e-mails designed to either deliver malicious attachments or attempting to trick the user into clicking a malicious link. Within a few days the malicious actor sends a direct email to the targets work address reminding the recipient about the prior attempt to communicate on LinkedIn.
The URLs embedded within the body of the phishing email point to a landing page that spoofs a real talent and staff management company, using stolen branding to enhance the legitimacy of the campaign. Upon visiting the link, the landing page will automatically download a malicious Microsoft Office document created using the Taurus Builder tool. This document will attempt to download and execute the More_eggs payload if the user clicks the ‘enable macros’ pop-up in Word.