The Golden Chicken & its Eggs
Scrambled or Benedict Eggs?
Golden Chickens, a group of malicious hackers with an online community, was recently exposed for using spear-phishing attacks on LinkedIn to lure business professionals into accepting fake job offers. These documents are labeled with an identical work description. A client who lists the job role “Senior Account Executive International Freight” will receive a malicious.ZIP file labeled as “Senior Account Executive — International Freight role.”
In their assault, the hackers use the fileless backdoor known as “more_eggs” and the malware as a service (MaaS) model. It is a complex malware variant that allows hackers to gain ownership of the machines of their victims. Researchers at eSentire identified the movement and alerted companies and consumers.
If activated, the more_eggs backdoor is installed stealthily, then allowing the attacker to install extra malevolent plugins and gain remote access to the victim’s computer. The “more_eggs” would tend to retain a discreet presence by exploiting genuine Windows processes, which has allowed Golden Chicken to market and sell the backdoor through malware as a service (MaaS) framework to other malicious hackers.
The more_eggs is also being sold as malware-as-a-service to other malicious actors, who use it to secure a stronghold in targets’ networks to mount other forms of malware, such as financial malware, password stealers, and ransomware, or simply to manipulate data. This phishing tactic is much more inclined to succeed in the current economic environment than just about any other, according to Rob McLeod, Sr. Director of eSentire’s Threat Response Unit (TRU).
Hold up! What’s a MaaS?
Well, according to the Kaspersky Encyclopedia, it is the renting of software and hardware to conduct cyber-attacks. Owners of MaaS servers charge for connections to a botnet that spreads malware for a fee. Customers of such products are usually given a private account from which they can manage the operation, as well as technical assistance.
But beware! It’s an Attack.
Spear phishing is a documented method of persuading individuals to tap on dangerous links. For this case, Golden Chicken is hopeful that as the economy and industries begin to improve, people can pursue good and new jobs. The usage of the fileless backdoor more eggs, which is problematic to identify and restrict, is a cause for alarm.
This campaign’s effectiveness would have been boosted if the LinkedIn application had been used. Although some LinkedIn clients prefer to limit recruiters, the majority are open to new job employment prospects. The opportunity to pick victims based on their status and location would have also aided the hackers in cautiously selecting their victims.
The victim unintentionally triggered VenomLNK, an early phase of more_eggs that exploited Windows Management Instrumentation to unlock the plugin loader, TerraLoader, according to the investigators. As a result, the cmstp and regsvr32 operations are hijacked.
A fake Word document is given to the target during the TerraLoader exploitation to imitate a work software, but it actually has no meaningful role in the exploitation itself. This is merely a ruse from the hackers to divert the customer’s attention away from more_eggs’ ongoing background activities.
The payload, TerraPreter, is an ActiveX control (.ocx file) obtained from Amazon Web Services. TerraLoader then launches msxsl in the user’s roaming profile and activates the payload, TerraPreter. Then, TerraPreter would start signaling to the Command & Control server (C2) via the malicious copy of msxsl at this stage. The indicator signifies that the more eggs backdoor is available for Golden Chicken’s customers to sign in and start carrying out their goals and objectives, which may include infecting the target with extra malware, such as ransomware, or gaining access to the victim’s infrastructure to steal valuable information.
It allows Golden Chicken to focus on increasing the number of compromised devices while earning money from other malicious actors. The latest spear phishing scheme is aimed at healthcare workers in the United States. It would be intriguing to see how it spreads to other nations.
In the last 18 months, cyber criminals have launched multiple strikes against healthcare organizations and employees in an attempt to profit from the pandemic. Some are clearly trying to create havoc, while others are attempting to obtain information. It is unknown at this time what sinister efforts are being carried out by those who use the Golden Chicken MaaS.
Who is the Mastermind?
The Cobalt group was one of the first “clients” of Golden Chickens MaaS attacks, which started back in 2017 in relation to a financial cybercrime. This operation’s success is dependent on a set of technologies and resources that supply consumers with the malware and services they will need to launch tailored and coordinated attacks.
GC continues to be the favored MaaS source for some top-tier e-crime threat actor organizations that depend on coordinated hacks to accomplish their malicious goals, according to QuoIntelligence. This is because the GC MaaS product is dependable in respect of sustainability and versatility. Aside from that, the GC MaaS operator makes a consistent initiative to update operating tools and develop new ones, as well as preserve the system framework.
The financial threat gang FIN6 used the more_eggs malware to target various e-commerce companies back in 2019. At the same time, attackers used more_eggs to breach retail, entertainment and pharmaceutical companies’ online payments systems, which reSentire researchers haven’t definitively linked to FIN6, but are suspected to be linked. Other groups have used the malware too. Evilnum likes to attack financial tech companies, according to eSentire, to steal spreadsheets, customer lists and trading credentials, while Cobalt Group is usually focused on attacking financial companies with the more_eggs backdoor.
Always Prepare an Umbrella Before it Rains
Regardless of how convincing the cover letter is, clients must always be mindful of the attachments. Cross-checking every document is needed to ensure that it is secure to access.
The End.
The latest movements are expected to target individuals who work in higher-ranking roles in businesses and have accessibility to confidential information. As a result, it is critical for all LinkedIn consumers to remain vigilant and remain alert for spear-phishing attempts. Analysts also advise allowing MFA for profiles with user privileges.
