Days after the massive data breach that hit LinkedIn’s security, a hacking group is attacking users of this professional social network through fake job offers. The attackers, known as Golden Chicken, achieve their goal via a sophisticated backdoor Trojan that victims unknowingly download.

As explained by the cybersecurity company eSentire, hackers use the job title listed on the victim’s LinkedIn profile. Thus, for example, if the target profile is that of a «Senior Account Executive«, When you open the fake job offer, you will be asked to download a file with the name«Senior Account Executive«, Plus other information added at the end to attract the victims.

By opening the fake job offer, the victim inadvertently initiates the installation of a back door known as “more_eggs”. This malware clings to normal Windows operating system processes. In this way, it can be run stealthily, without being detected by antivirus software. However, distribution via LinkedIn is just the beginning of the danger, as Golden Chickens markets this malware to other hackers.

The backdoor installed on the victim’s computer can be an entry point for other types of malware. For example, one capable of stealing credentials or collecting bank details. Also, it can be used to steal data. These types of threats, as they are not detected by security programs, are a headache for the IT support teams of large companies that handle sensitive data.

A threat that goes beyond LinkedIn

Golden Chicken is known in the world of computer threats. These are dedicated to selling the malware now discovered on LinkedIn for other attackers to run on different platforms and for different purposes. While they have not been able to identify the identity of those behind this “business”, eSentire claims that there is evidence that it has been used by groups such as FIN6, Cobalt Group and Evilnum.

FIN6 is a group of financial computer crimes related to crimes with credit cards and sale of this data in clandestine markets. Evilnum targets fintech companies. They target items such as spreadsheets and documents with lists of clients, investments and business operations, and credentials for trading platform software. Cobalt Group, for its part, also targets fintech companies and their clients

At the moment, eSentire has not been able to identify what LinkedIn attackers are looking for. However, they point out that it is not the first time it has happened. In February 2019 they detected a similar attack in which they targeted retail, entertainment and pharmaceutical companies.

