Researchers at Proofpoint have uncovered a new malware campaign that attempts to circumvent victims by abusing LinkedIn’s direct messaging service.
“These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs.”
Scammers target the potential victims through LinkedIn direct messaging, attempt to establish a contact, and infect them through bogus websites serving malware and malicious emails. Initially, attackers leverage legitimately created a
Attackers send a direct email to the target’s work address reminding the recipient about the prior attempt to communicate on LinkedIn, using a target’s professional title attempts to trick the recipient into clicking on a link to see the noted job description. Experts also observed the use of PDF attachments with embedded URLs or other malicious attachments.
The URLs link to a landing page that spoofs a real talent and staffing management company that initiates a download of a weaponized Microsoft Word file created with Taurus Builder. If the victim enables macros, the “More_eggs” payload will be downloaded and executed. Experts also observed the landing page initiating the download of a JScript loader to delivery the More_eggs payload.
Experts used a variety of tools to distribute malware, including the Taurus Builder, the VenomKit, and the More_eggs payload.
Experts observed overlaps between these campaigns and a campaign launched against anti-money laundering officers at various financial institutions that was reported by the popular expert Brian Krebs.
The final payload used in the campaigns were different, while key similarities included:
Further details on the campaign, including the IoCs are reported here.
(SecurityAffairs – LinkedIn phishing, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.