Golden Chickens Hatch LinkedIn Fake Job Spear Phishing Attacks

June 25, 2021

The threat group known as Golden Chickens (insert giggle here) is just one of many behind highly effective email spear phishing attacks. Thanks to a massive cyberattack against LinkedIn earlier this year, 7 million user profiles were stolen. Of those, 2 million were posted for free by the hacker and 5 million more were posted for sale on underground forums. It’s the email addresses included in the stolen profiles that has LinkedIn and its users rightly concerned. Golden Chickens group is using the hijacked email addresses to target LinkedIn members with fake job openings via spear phishing. The email lure offers a job that doesn’t actually exist, but catches the user’s attention. That’s where this attack begins to hatch.

The spear phishing emails have a .ZIP file that installs Golden Chickens’ fileless malware called “more_eggs.” Fileless malware uses tools already built into a system that don’t require a hacker to install virus code to work. As a result, more_eggs evades anti-virus tools and makes the attacks more likely to succeed. The malware also has a “backdoor” element allowing the attacker to return to their victim at will for further attacks. The crucial component to more_eggs’ success is getting the target to first open the email and then the attached .ZIP file. That’s where spear phishing comes into play.

More_Eggs Drop

Spear phishing is a highly popular tool for dispensing malware because it works so well. It uses a target’s personal information to first gain their interest and then lure them into the attack. These victim info-nuggets are easily found online – some from prior hacks, others from social media posts, company websites, and other sources. For Golden Chickens, ultimate success relies on the target opening the attached .ZIP file. The trusting job seeker believes the attachment has more details about the “job opening” but instead, opening it drops more­_eggs into a system.

Golden Chickens Sells more_eggs

The final twist behind this scrambled hack is that more_eggs is available for sale or other arrangement by Golden Chickens group. Selling malware is called “malware-as-a-service” or MaaS, providing cybercriminals with the tools needed for a variety of attacks. With more_eggs installed in a system, hackers can infect it with the malware of their choice. That malware can include credential stealing abilities, ransomware, banking trojans, data theft, and more.

Attacks like those from Golden Chickens should be a reminder to be on high alert for emails from untrusted and unknown sources, no matter how much they may interest you. If the email has an attachment, never open it before you’ve identified the sender as being safe and the attachment as trustworthy. Remember, a little email scrutiny ahead of time can save a ton of work recovering from a malware attack.

Stickley on Security