A series of malware campaigns that push the More_eggs backdoor via fake jobs offers are targeting employees of US companies which use shopping portals and similar online payment systems.
The final payload used in this phishing campaign is always the JavaScript-based backdoor known as More_eggs, a malware strain designed to allow the attackers to control the compromised machines remotely and to enable them to drop extra malware payloads on their victims’ computers.
More_eggs was initially identified by Trend Micro during the summer of 2017 and, since then, it was used in multiple malicious e-mail campaigns, targeting Eastern European financial institutions or manufacturers of ATMs and other payment systems.
The method of delivery always starts with an initial contact via LinkedIn’s direct messaging service using a legitimate LinkedIn account, subsequently followed by e-mails designed to either deliver malicious attachments or trying to trick the target to click a malicious link.
Within a week, the actor sends a direct email to the target’s work address reminding the recipient about the prior attempt to communicate on LinkedIn. It uses the target’s professional title, as it appears on LinkedIn, as the subject [..]
The URLs embedded within the body of the phishing emails or within their attachments point “to a landing page that spoofs a real talent and staffing management company, using stolen branding to enhance the legitimacy of the campaigns.”
In the next step of the infection process, the landing page will autostart the download of a decoy Microsoft Office document created using the Taurus Builder tool.
This document will next attempt to download and execute the More_eggs payload if the target enables macros and the malicious macros bundled within are able to run.
As observed by the Proofpoint Threat Insight Team, the threat actors behind these “Fake Jobs” campaigns use multiple malware delivery methods to get the More_eggs backdoor payload on their targets’ computers:
– URL linking to a landing page that initiates the download for an intermediate JScript loader or Microsoft Word document with macros or exploits
– URL shortener redirecting to the same landing page
– PDF attachment with a URL linking to the same landing page
– Password-protected Microsoft Word attachment with macros that download More_eggs
– Completely benign emails without a malicious attachment or URL attempting to further establish rapport
By dropping More_eggs on compromised machines, the actors behind these campaigns make sure that they can customize the course of the infection process to adapt their attacks a lot easier to whatever defenses their victims might have in place.
Source: BleepingComputer