LinkedIn Direct Messages Exploited Via “more_eggs” Backdoor (Feb 25, 2019)
A phishing campaign is utilizing the direct message feature of the employment and networking platform “LinkedIn” to distribute a backdoor, according to Proofpoint researchers. The threat actors behind this campaign are distributing fake job offers on LinkedIn followed emails to server as a “follow up” reminders for the purported job offer. The emails were found to contain links leading to fake and malicious websites or attempt to convince a recipient to open a PDF attachment and follow the URL within. The fake website requests a visitor to download a Microsoft Word file that contains malicious macros that, in enabled, will begin the infection process of a backdoor called “more_eggs.” The backdoor function as a “Jscript” loader that is capable of downloading additional malicious payloads.
Recommendation: Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.