Educating your business on the importance of cybersecurity

Sophisticated Threat Actors are using LinkedIn to Phish Employees

Posted by ProCircular Team on Sep 30, 2021 9:03:06 AM

Phishing via employment-focused social media is on the rise. While performing incident response over the last few months, ProCircular encountered multiple incidents where LinkedIn was used in employee phishing attacks. Several news articles raised awareness of this phishing vector over the last year, and the trend continues with a new wave of attacks by sophisticated threat actors.

The attackers are performing spear-phishing attacks against companies by luring their employees to click malicious links with promises of lucrative job offers. These attacks are successful when employees believe the attachments are legitimate and download a file with hidden malware. When they open the job description document, they unintentionally open a .lnk file that infects the More_Eggs toolkit. The perpetrator behind this attack is believed to be the threat actor known as FIN6. They have a reputation for targeting organizations with an online shopping presence. They hack into the networks to infect online payment portals with credit card-skimming code.

The Threat Response Unit (TRU) research team at eSentire reported on this spear-phishing activity last April. The attackers had gone dormant until they began a new wave of attacks in June and July. The attackers may have been dormant while they evolved their toolkit to evade antivirus and EDR. The new wave of attacks is almost identical to the attacks described by TRU. The full attack write-up by TRU can be found here.

For more information about this toolset, look here.









AWS website hosting the zip file containing the malicious lnk



Cobalt Strike beacon



Scripts and XML documents use with msxsl.exe



Signed Microsoft binary used by More_Eggs



Uncommon binary executed after the malware lands


Registry Key

Registry Key Persistence. Executes cscript to launch the malware


Topics: Incident Rsponse, hacking, risk

  • There are no suggestions because the search field is empty.

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates