‘More_eggs’ is a backdoor sold as a “malware-as-a-service” (MaaS) by a threat group known as “Golden Chickens” and predominantly used by three criminal groups: FIN6, Cobalt Group, and Evilnum.
In the latest campaign, unearthed by researchers from eSentire and targeting a professional working in the healthcare technology industry, a threat actor is exploiting fake job offers on LinkedIn to deploy the ‘More_eggs’ backdoor on the victim’s machine.
This is yet another interesting example of a campaign exploiting multiple cloud services to evade detection, and preying on COVID-19 uncertainty, given the high number of job redundancies deriving from the pandemic. Not only is LinkedIn used to spearphish the victim via a malicious zip file with a fake job offer using the position listed on the target’s public profile, but also AWS contributes to the attack chain, being exploited to deliver the TerraPreter payload, an ActiveX control used to beacon to the Command & Control server (C2).