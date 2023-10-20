A recent report cybersecurity company WithSecure has revealed a new tactic used threat actors to lure individuals into downloading info-stealing malware. These threat actors, linked to Vietnamese cybercriminal groups responsible for last year’s ‘Ducktail’ campaigns, are using fake LinkedIn posts and direct messages to trick users into thinking they are applying for a Facebook Ads specialist position at hardware maker Corsair.

The main objective of these campaigns is to steal valuable Facebook business accounts that can be used for malvertising or sold to other cybercriminals. Upon clicking on a URL provided in the LinkedIn message, users are redirected to Google Drive or Dropbox, where they encounter a ZIP file containing a PDF or DOCX document and a TXT file related to the supposed job offer.

WithSecure researchers have analyzed the metadata of these files and discovered leads to the distribution of the RedLine stealer malware. The downloaded archive contains a VBS script, which could be embedded in the DOCX file, that initiates a series of actions, including downloading additional executables and constructing the DarkGate malware.

Once DarkGate is installed on the compromised system, it attempts to uninstall security products, suggesting the presence of an automated process. This signifies a significant risk to the security of organizations and their data.

To defend against this threat actor, WithSecure has released a list of indicators of compromise (IoCs) that includes IP addresses, domains used, URLs, file metadata, and archive names. It is crucial for organizations to implement security measures and educate their employees about the risks associated with interacting with suspicious LinkedIn accounts.

While LinkedIn has introduced features to combat abuse on its platform, it remains the responsibility of users to verify the authenticity of an account before engaging in communication. Vigilance and caution are necessary in protecting against these evolving cyber threats.

Definitions:

1. Info-stealing malware: Malicious software designed to collect sensitive information, such as login credentials, financial data, or personal information, from infected systems.

2. Malvertising: The use of online advertising to spread malware or scams through deceptive ads.

3. Threat actor: An individual or a group engaged in unauthorized activities or cyber attacks.

4. Indicators of compromise (IoCs): Digital artifacts or patterns that indicate the presence of a cyber threat or compromise.

Sources:

– WithSecure report on fake LinkedIn posts and RedLine malware activity.