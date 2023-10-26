In a rapidly evolving cyber landscape, threat actors are constantly finding innovative ways to exploit vulnerabilities and compromise personal information. Recently, security firm Cluster25 uncovered a malicious campaign utilizing LinkedIn messages as a gateway to launch sophisticated identity theft attacks. This campaign specifically targets professionals in sales and finance sectors based in Italy.

Instead of the traditional email-based approach, hackers exploit compromised LinkedIn accounts to send messages disguised as enticing job offers. The messages contain seemingly harmless PDF files; however, these files harbor dangerous links that lead to malicious websites aimed at harvesting sensitive data.

The attackers employ a strain of malware known as DuckTail, which not only compromises the victim’s computer but also has the capability to infiltrate their Facebook Business account. By analyzing the malicious domains and URLs employed the hackers, Cluster25 shed light on the extent and complexity of this campaign.

How Does the Scam Work?

Upon opening the PDF file, victims encounter two links — one redirecting them to a counterfeit website mirroring a legitimate organization, and the other initiating the download of a seemingly innocent ZIP file from Microsoft OneDrive. Inside this ZIP file, disguised as video and Word documents, lies the hidden threat.

Sophisticated malware, employing a technique called “single-file application,” conceals its malicious code within these seemingly harmless files. This makes it challenging for antivirus software to detect and neutralize the malicious payload effectively.

Once executed, the malware infects the victim’s computer, promptly initiating the theft of valuable information such as cookies, session data, and browser credentials. In addition, it attempts to gain unauthorized access to the victim’s Facebook Business account, utilizing the linked email as an entry point.

The Danger Amplified: Exploiting the DLL File

To further intensify the threat, the hackers cleverly devised a fake DLL file that acts as a spy, intercepting the victim’s web browsing data and redirecting it to their command center via Telegram. By manipulating victims into opening a PDF file supposedly containing a LinkedIn job offer, attackers set the stage to deploy this malicious file.

Surreptitiously created using Microsoft .NET, this DLL file operates verifying if another instance of itself is running on the victim’s computer. If not found, it proceeds to create a file housing crucial information about the victim’s system, including the Global Unique Identifier (GUID) and IP address. To mask its activities, it also displays a seemingly innocuous job description PDF.

The DLL file establishes contact with the hackers through Telegram, employing a BOT ID of 6263348871. It then sends them a message, including the victim’s ChatID and relevant text. Subsequently, it transmits ZIP files housing stolen data to the attackers using the Telegram API.

Implications and Countermeasures

The ramifications of falling victim to these attacks can be severe. The hackers can exploit the stolen data, assume the victim’s online identity, and gain unauthorized access to their various accounts. Therefore, professionals utilizing LinkedIn must exercise utmost caution while handling files or clicking on links from unknown sources.

To mitigate vulnerabilities, it is crucial to employ trustworthy antivirus software to protect against complex threats like DuckTail. Regularly updating software and promptly patching known vulnerabilities is also essential to prevent exploitation. Remaining vigilant and cautious when interacting with digital communication is the first line of defense against these calculated attacks.

