Researchers at Proofpoint have uncovered a new malware campaign that attempts to circumvent victims by abusing LinkedIn’s direct messaging service.
“These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs.”
Scammers target the potential victims through LinkedIn direct messaging, attempt to establish a contact, and infect them through bogus websites serving malware and malicious emails. Initially, attackers leverage legitimately created a
Attackers send a direct email to the target’s work address reminding the recipient about the prior attempt to communicate on LinkedIn, using a target’s professional title attempts to trick the recipient into clicking on a link to see the noted job description. Experts also observed the use of PDF attachments with embedded URLs or other malicious attachments.
The URLs link to a landing page that spoofs a real talent and staffing management company that initiates a download of a weaponized Microsoft Word file created with Taurus Builder. If the victim enables macros, the “More_eggs” payload will be downloaded and executed. Experts also observed the landing page initiating the download of a JScript loader to delivery the More_eggs payload.
Experts used a variety of tools to distribute malware, including the Taurus Builder, the VenomKit, and the More_eggs payload.
Experts observed overlaps between these campaigns and a campaign launched against anti-money laundering officers at various financial institutions that was reported by the popular expert Brian Krebs.
The final payload used in the campaigns were different, while key similarities included:
Further details on the campaign, including the IoCs are reported here.
(SecurityAffairs – LinkedIn phishing, hacking)