- Security researchers find phishing emails.
- E-mails distribute the Trojan Horse Remote Remote Connectwise
- There are several red flags, including false companies, false images and more
The cybercriminals carry the training of LinkedIn notification emails to deliver Trojan malware (RAT) Remote remote Connectwise, experts warned.
A new report by cybersecurity researchers Cofense Intelligence notes that the phishing campaign probably started in May 2024 with an email imitating a notification that LinkedIn would send to a person when he receives an inmail message. The commercial platform does not allow people who are not connected to the exchange of messages, unless the sender is a premium member (paying). Then they can use a service called inmail to reach out to the people with whom they are not connected.
Receiving such a message would trigger an e-mail notification of LinkedIn, which the attackers usurned here.
Get around e-mail filters
There are several red flags in the email. First, the model used was deleted by LinkedIn almost five years ago. Then, the supposed project manager / sales director who sends the message does not exist, and the attached photo is labeled “Executive16.png”. The profile photo used in the e-mail belongs to the president of Korean Society of Civil Engineering Law, a person called Cho So-Young.
Finally, the company for which the sender will work is called “Dongjin Weidmüller Korea Ind” and it does not exist either.
The email is delivered with one of the two buttons: “Read more” and “answer”. Both trigger Connectwise download, a remote administration tool that was initially part of Connectwise ScreenConnect, a legitimate remote desktop software used for management and IT management. However, cybercriminals have diverted it and abuses it as a remote access Troy to obtain unauthorized control over systems.
E-mail has made previous security filters mainly because of how the e-mail authentication parameters were configured on the recipient’s system, the researchers added.
Even if the email failed SPF (Sender Policy Framework) and was not signed with Dkim (Domainkeys identified the mail), it has still not been rejected by the system. This has happened because the E-mail security policy, in particular the DMARC (authentication of messages based on the field, reports and conformity), was defined on “Oreject” instead of fully rejecting the suspect emails.
This parameter has probably allowed the email to be marked in spam but still landed in the recipient’s reception box.
