Campaigns through LinkedIn ’s DM deliver More_eggs backdoor via fake job offers

Pierluigi Paganini February 23, 2019

Experts uncovered a new malware campaign that attempts to circumvent victims by abusing LinkedIn ’s direct messaging service. 

Researchers at Proofpoint have uncovered a new malware campaign that attempts to circumvent victims by abusing LinkedIn’s direct messaging service. 

In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports the campaigns with fake websites that impersonate legitimate staffing companies.” reads the analysis published by Proofpoint.

“These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs.”

Scammers target the potential victims through LinkedIn direct messaging, attempt to establish a contact, and infect them through bogus websites serving malware and malicious emails. Initially, attackers leverage legitimately created a LinkedIn profile to target companies by sending invitations with a short message with the subject “Hi [Name], please add me to your professional network”.

LinkedIn phihsing

Attackers send a direct email to the target’s work address reminding the recipient about the prior attempt to communicate on LinkedIn, using a target’s professional title attempts to trick the recipient into clicking on a link to see the noted job description. Experts also observed the use of PDF attachments with embedded URLs or other malicious attachments.

The URLs link to a landing page that spoofs a real talent and staffing management company that initiates a download of a weaponized Microsoft Word file created with Taurus Builder. If the victim enables macros, the “More_eggs” payload will be downloaded and executed. Experts also observed the landing page initiating the download of a JScript loader to delivery the More_eggs payload.

Experts used a variety of tools to distribute malware, including the Taurus Builder, the VenomKit, and the More_eggs payload.

Experts observed overlaps between these campaigns and a campaign launched against anti-money laundering officers at various financial institutions that was reported by the popular expert Brian Krebs.

The final payload used in the campaigns were different, while key similarities included:

  • The use of a similar PDF email attachment to the PDFs used in the Fake Jobs campaigns
  • The PDFs of both the anti-money laundering campaign and the Fake Jobs campaigns at one point included URLs hosted on the same domain

Further details on the campaign, including the IoCs are reported here.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LinkedIn phishing, hacking)

[adrotate banner="5"]

[adrotate banner=”13″]

you might also like

leave a comment