October 20, 2023 at 08:50AM
LinkedIn users are being targeted by a threat actor spreading malware through fake job posts at Corsair. The cybercriminal group responsible for the attacks, believed to be Vietnamese, is linked to previous campaigns targeting Facebook business accounts. The malware, including DarkGate and RedLine, is distributed through malicious files downloaded from URLs shared in LinkedIn messages. Security company WithSecure has provided indicators of compromise to help organizations defend against this threat. Users are encouraged to exercise caution and verify the authenticity of LinkedIn accounts before engaging in communication.
Key takeaways from the meeting notes are as follows:
1. A threat actor is using fake LinkedIn posts and direct messages to deceive people into downloading info-stealing malware.
2. The malware being used includes DarkGate and RedLine.
3. WithSecure, a cybersecurity company, has identified and tracked the activity of the group responsible for these campaigns.
4. The threat actor group is linked to Vietnamese cybercriminal groups involved in previous campaigns called ‘Ducktail’.
5. The primary target of these campaigns is users in the U.S., the U.K., and India who hold social media management positions and have access to Facebook business accounts.
6. The lure is a job offer at Corsair, a hardware maker.
7. Targets are tricked into downloading malicious files from a URL that redirects to Google Drive or Dropbox.
8. The downloaded files contain a VBS script that leads to the distribution of RedLine stealer and the creation of DarkGate malware.
9. DarkGate attempts to uninstall security products from the compromised system.
10. LinkedIn has introduced features to fight abuse on its platform but users should verify information before engaging with new accounts.
11. WithSecure has released a list of indicators of compromise (IoCs) to help organizations defend against this threat actor.
These takeaways summarize the key information discussed in the meeting notes.