Hackers abuse LinkedIn DMs to plant malware
Fake jobs offers fool unsuspecting users into installing More_eggs back door
Hackers are impersonating recruitment agencies on LinkedIn in a bid to target companies with backdoor malware.
Researchers at Proofpoint found that the malware campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals.
In a blog post, the firm said hackers establish a relationship with potential victims by abusing LinkedIn's direct messaging service.
In follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports campaigns with fake websites that impersonate legitimate staffing companies. "These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs," the company said.
After a week, hackers then send a direct email to the target's work address reminding the recipient about the prior attempt to communicate on LinkedIn.
"It uses the target's professional title, as it appears on LinkedIn, as the subject, and often suggests the recipient click on a link to see the noted job description. In other cases, this actor used an attached PDF with embedded URLs or other malicious attachments," Proofpoint added.
The URLs link to a landing page that spoofs a real talent and staffing management company, using stolen branding to enhance the legitimacy of the campaigns. This page then kicks off the download of the malicious Word document that then attempts to download and execute the "More_eggs" payload if the recipient has enabled macros.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"These campaigns demonstrated considerable variability, with the actor frequently changing delivery methods and more," the researchers added.
They said that hackers are turning away from very large-scale "spray and pray" campaigns to focus more on focus on persistent infections with downloaders, RATs, bankers, and other malware.
The researchers warned: "We can expect more threat actors to adopt approaches that improve the effectiveness of their lures and increase the likelihood of high-quality infections."
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.