Backdoor Targeting US Companies Through LinkedIn Messaging

There is a series of malware campaigns that are utilizing the More_eggs backdoor via fake job offers targeting employees of US companies which use shopping portals and similar online payment systems. More_eggs is a Javascript-based backdoor that is designed to allow the attacker to control the compromised machines remotely and enable them to drop extra malware payloads on their victims’ computers.

The method of delivery always starts with an initial contact via LinkedIn’s direct messaging service using a legitimate LinkedIn account, followed by e-mails designed to either deliver malicious attachments or attempting to trick the user into clicking a malicious link. Within a few days the malicious actor sends a direct email to the targets work address reminding the recipient about the prior attempt to communicate on LinkedIn.

The URLs embedded within the body of the phishing email point to a landing page that spoofs a real talent and staff management company, using stolen branding to enhance the legitimacy of the campaign. Upon visiting the link, the landing page will automatically download a malicious Microsoft Office document created using the Taurus Builder tool. This document will attempt to download and execute the More_eggs payload if the user clicks the ‘enable macros’ pop-up in Word.