MSSP eSentire says hackers using LinkedIn profiles for spearphishing

Threat actors are leveraging LinkedIn profiles to target victims with fake job offers that lead to the installation of a backdoor, warns a Canadian managed security services provider.

Victims clicking on the link to the supposed job offer could end up installing a backdoor known as “more_eggs,” which could give a hacker remote control over the victim’s computer, allowing them to send, receive, launch and delete files, said Waterloo, Ont.-based eSentire in a blog released this morning.

The attack described by eSentire researchers works like this: A threat actor finds a target on LinkedIn and creates a malicious zip file attachment named after the target’s current job. For example, a person’s job is listed as “Senior Account Executive—International Freight,” the malicious zip file would be titled “Senior Account Executive—International Freight position.”

Presumably, the goal is to make the attachment’s file name convincing so that a victim will click on it. When they do, a Microsoft Word job application form is downloaded asking typical questions (name, address, position sought, Social Security number, education and so on).

However, opening the document triggers a process that leads to the stealthy installation of the fileless backdoor called “more_eggs.” Once loaded, the sophisticated backdoor can download more malicious plugins and provide hands-on access to the victim’s computer. It uses normal Windows processes to run, so it’s unlikely to get picked up by anti-virus and automated security solutions.

The eSentire report notes that the incident it detected is similar to one described by  Proofpoint in 2019. In that report, Proofpoint stated the threat actor used malicious attachments and set up fake websites that impersonated legitimate staffing companies. It also used the same LinkedIn direct mail capability to establish a rapport with the intended victim.

Contributing factors

Since the COVID pandemic, unemployment rates have risen dramatically, making it a perfect time to take advantage of job seekers desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times, eSentire explains.

The more_eggs backdoor (also known by some researchers by the names Terra Loader and SpicyOmelette) is a product of a well-known malware-as-a-service threat group called Golden Chickens. As a result of renting the back door to qualified hackers, eSentire can’t be sure in this particular incident who the threat actor was. The report does note that the FIN6, Cobalt Group and Evilnum groups have been known to use Golden Chickens’ offerings.

The intended victim in the attempt caught by eSentire worked in the healthcare sector.

Behind the scenes of the attack

In the initial stage of the attack, opening the infected document triggered the downloading of VenomLNK, which abuses Windows Management Installation (WMI). This is a capability that allows administrators to manage various installations and configurations. In turn, VenomLNK enables the malware’s plugin loader, TerraLoader. That hijacks legitimate Windows processes, cmstp (a connection management process) and regsvr32 (an installation utility that registers Dynamic Link Libraries and ActiveX Controls).

TerraLoader then loads the payload, TerraPreter, an ActiveX control from an Amazon Web Services server. At this point, TerraPreter begins beaconing to a command and control server that backdoor is ready for the Golden Chicken’s customer to log in and begin carrying out their goals.

Graphic explaining how a a backdoor discovered by eSentire could infect a victim's computer
Graphic by eSentire

Scams leveraging LinkedIn have been going on for years, in part because the site offers a lot of personal data.

In 2013 IT World Canada carried a synopsis of a report from Bitdefender about phony job offers from hackers using LinkedIn.

In 2015 Secureworks said it had uncovered a network of 25 fake LinkedIn profiles probably aimed at targeting potential victims through social engineering. Five purported to work for Teledyne, an American industrial conglomerate. One claimed to work for Doosan, a South Korean industrial conglomerate, and one for Northrop Grumman, a U.S. aerospace and defence company. Others in the network appeared to serve the purpose of being “supporters” of these people to add credibility.

“Creating a network of seemingly genuine and established LinkedIn personas helps (the threat group) TG-2889 identify and research potential victims,” the report notes. “The threat actors can establish a relationship with targets by contacting them directly or by contacting one of the target’s connections. It may be easier to establish a direct relationship if one of the fake personas is already in the target’s LinkedIn network.”

Since the start of the COVID-19 pandemic, health researchers have been the targets of some nation-state threat actors.

Last December, the University of Tennessee health science centre warned employees of “convincing LinkedIn profiles” being created complete with endorsements and hundreds of connections.

“Executives, VPs, and Research and Development (R&D) teams have been targeted, including those working on COVID-19 vaccine and therapy programs,” the university stated.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now