More_Eggs Trojan Spreads Among LinkedIn Job Seekers

Aback-door trojan is infecting hopeful job-seekers on LinkedIn through a spear-phishing campaign, according to a new report by eSentire. The phishing email will attempt to get the job-seeker to click a malicious .zip file, which is the first step in deploying the More_Eggs trojan onto their device. The malicious files are tailored and will have “position” at the end of the file name, which helps them appear legitimate.

“For example, if the LinkedIn member’s job is listed as ‘Senior Account Executive—International Freight,’ the malicious .ZIP file would be titled ‘Senior Account Executive—International Freight position’ (note the ‘position’ added to the end),” according to the eSentire report. “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.”

As a back-door Trojan, More_Eggs allows hackers to access a user’s system from a remote location. This includes sending and receiving files and so can function as a malware loader for other virus strains.

While many groups have been found to use More_Eggs, it is developed by The Golden Chickens threat group. The group sells the trojan under a Malware-as-as-Service (MaaS) subscription.

Researchers at eSentire have noted 3 aspects of More_Eggs that makes it a “formidable threat to business and business professionals.”

Firstly, the trojan bypasses most antivirus defenses by abusing Windows processes. Secondly, it uses personalized spear-phishing to increase its chance of success. Lastly, more_eggs has been deployed at a time when job hunters are desperate to find work in the midst of a global pandemic.

The motivation behind the attacks are not yet known. There is little to gain from the devices on individuals who are unemployed; their devices are not connected to any corporate network. Some researchers have pointed out the attacks may lay dormant, and could activate at a point at the future when the victim does have access to business systems through the infected device.

In the report, eSentire follows the more_eggs LinkedIn attack on someone in the health care technology sector. Chris Hazelton with mobile security provider Lookout statedthat the victim that said was likely chosen so that cybercriminals could gain “access to an organization’s cloud infrastructure, with a potential goal of exfiltrating sensitive data related to intellectual property or even infrastructure-controlling medical devices. He added, “Connected devices, particularly medical devices, could be a treasure trove for cybercriminals.”

Morales added that to avoid compromise, all users on LinkedIn should be on the lookout for spear-phishing scams.

“Targeting LinkedIn is not rocket science,” he added. “It is social media for the corporate world with a description of the key players in every industry. I assume that I am a target too and always look for that.”

Potential Threat Actors Deploying More_Eggs Trojan

It is currently unknown which group is behind this campaign. It is unlikely to be The Golden Chickens themselves, as in the past, they have mostly been responsible for developing and selling the trojan. In their report, eSentire outlined 3 likely threat actor groups behind the campaign. These groups have used More_Eggs in the past, using the same methods as found in the current LinkedIn campaign.

FIN6 – FIN6 is a financial cybercrime group that primarily steals payment card data and sells it on underground marketplaces. The FIN6 group first gained notoriety in 2014 for their attacks against point-of-sale (POS) machines in retail outlets and hospitality companies. Continuing their quest for credit and debit card data, they later moved on to targeting e-Commerce companies and stole their credit card data via online skimming. The FIN6 threat group has also been known to infect some of their victims with ransomware.

Researchers reported in Feb. 2019 that FIN6 was specifically targeting numerous e-Commerce companies and using malicious documents to infect their targets with the more_eggs trojan as the initial phase of their attack.

Later that year, in August 2019, security researchers found that the FIN6 group began another malicious campaign. The researchers believe the FIN6 threat actors were actively going after multinational organizations. Similar to the current incident, FIN6 spearphished specific employees with fake job offers. If the targets fell for the lure, they too were infected with the more_eggs backdoor trojan.

Evilnum – The Evilnum cybercrime group is best known for compromising financial technology companies, companies that provide stock trading platforms and tools. Their target is financial information about the targeted FINTECH companies and their customers. They target items such as spreadsheets and documents with customer lists, investments, trading operations, and credentials for trading software/platforms and software.

The Evilnum group is also known to spearphish employees of the companies they are targeting and enclose malicious zip files. If executed, the employees get hit with the more_eggs backdoor trojan, along with other malware.

Cobalt Group – The Cobalt Group is also known to go after financial companies, and it has repeatedly used the more_eggs backdoor trojan in their attacks.

More_Eggs Trojan Analysis

The More_Eggs trojan are been analysed in depth by the IBM X-Force Incident Response and Intelligence Services (IRIS).

As mentioned, to gain access to victim environments, the threat actor began by targeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the supposed offers. 

Once the attacker has established communication with a victim via email, they convince them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displays the message, “Online preview is not available,” then presents a second URL leading to a compromised or rogue domain, where the victim can download the payload under the guise of a job description.

Link provided in spear phishing email to an employee

That URL, in turn, downloads a ZIP file containing a malicious Windows Script File (WSF) that initiates the infection routine of the More_Eggs backdoor trojan.

Final landing page that downloads a malicious file

The ZIP file and WSF files are deleted upon a successful malware infection, likely in an attempt to prevent researchers from recovering the original files from the filesystem. The filesystem, however, contains evidence of a non-malicious decoy document dropped to the disk drive during the spear phishing attacks.

The spear phishing attacks led to initial compromise and the installation of the More_eggs JScript backdoor, which established a reverse shell connection to the attacker’s command-and-control (C&C) infrastructure. Additional capabilities of the More_eggs malware include the download and execution of files and scripts and running commands using cmd[.][exe].

X-Force IRIS determined that the More_eggs backdoor later downloaded additional files, including a signed binary shellcode loader and a signed Dynamic Link Library (DLL), as described below, to create a reverse shell and connect to a remote host. The shellcode loader was observed on one infected device as updater.exe with the Metasploit-style service name APTYnDS1ABEuUHEA, indicating that it was installed as a service.

Once the attackers established a foothold on the network, they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment. This type of method, called ‘living off the land’, can often blend with legitimate system administration activities, which can make it challenging for security controls to detect.

To cement their foothold and add persistence throughout the compromised environment, X-Force IRIS uncovered evidence that the attacker had selected several additional devices on which to install the More_eggs backdoor, creating redundancy in ways to get back into the network. Hackers remotely connected to these devices using PowerShell and WMI and downloaded and executed a DLL file, subsequently installing More_eggs on the device without dropping the nonmalicious decoy document.

After a successful phishing attack in which users have opened emails and browsed to malicious links, hackers install the More_eggs JScript backdoor on user devices alongside several other malware components.

The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32[.][exe] Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system.


The more_eggs trojan is yet another attack vector being used by hackers to exploit people in need. As hackers step up their game, individuals and business owners need the right tools to defend themselves against ever-advancing threats. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *