By Bill Toulas on Friday, 20 October 2023
Category: Security

Fake Corsair job offers on LinkedIn push DarkGate malware

A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. 

Cybersecurity company WithSecure detected the activity and tracked the activity of the group, showing in a report today that it is linked to Vietnamese cybercriminal groups responsible for the 'Ducktail' campaigns first spotted last year.

These campaigns aim to steal valuable Facebook business accounts that can be used for malvertising or sold to other cybercriminals. 

DarkGate was first spotted in 2017 but its deployment remained limited until June 2023, when its author decided to sell access to the malware to a larger audience.

Recent examples of DarkGate's use include phishing attacks through Microsoft Teams that push the payload and leveraging compromised Skype accounts to send VBS scripts to trigger an infection chain leading to the malware.

Corsair lure

The Vietnamese threat actors targeted mainly users in the U.S., the U.K., and India, who hold social media management positions and are likely to have access to Facebook business accounts. The lure is delivered over LinkedIn and involves a job offer at Corsair.

Targets are tricked into downloading malicious files from a URL("g2[.]by/corsair-JD") that redirects to Google Drive or Dropbox to drop a ZIP file ("Salary and new products.8.4.zip") with a PDF or DOCX document and a TXT file with thefollowing names:

WithSecure researchers analyzed the metadata for the above files and found leads to RedLine stealer distribution.

The downloaded archive contains a VBS script, possibly embedded in the DOCX file, that copies and renames 'curl.exe' to a new location and leverages it to download 'autoit3.exe' and a compiled Autoit3 script.

The executable launches the script, and the latter de-obfuscates itself and constructs DarkGate using strings present in the script.

Thirty seconds after installation, the malware attempts to uninstall security products from the compromised system, indicating the existence of an automated process. 

LinkedIn introduced features to fight abuse in the platform late last year that can help users determine if an account is suspicious or fake. However, it falls on the users to check the verified info before engaging in communication with a new account.

WithSecure has released a list of indicators of compromise (IoCs) that could help organizations defend against activity from this threat actor. The details include IP addresses, domains used, URLs, file metadata, and names of archives.

Related Posts

Leave Comments