- Sophisticated LinkedIn phishing uses fake job postings to target executives
- The attacks use DLL sideloading and Python tools to install remote access Trojans.
- ReliaQuest warns that phishing extends beyond email, exploiting neglected social media platforms
Business executives and IT administrators are the target of a highly sophisticated phishing attack that occurs not in the email inbox, but rather on LinkedIn.
Security researchers ReliaQuest said they have seen a new attack combining legitimate Python penetration testing projects, DLL sideloading and fake job postings, to infect “high-value targets” with remote access trojans (RATs).
According to the ReliaQuest report, victims are carefully chosen and contacted with an invitation to a business project or job. The LinkedIn post comes with a download link that, if clicked, downloads a self-extracting WinRAR (SFX) archive. The file name is usually tailored to the victim’s role, such as a product roadmap or project plan.
Deploy the RAT
When the victim opens the archive, it automatically extracts multiple files in the same folder, making the package look legitimate. The victim then launches the PDF reader included in the archive, believing that they are opening a normal document.
This drive then loads a malicious DLL also included in the archive. This method, known as DLL sideloading, executes the attacker’s code without triggering immediate security alerts, it was explained.
The malicious DLL adds a “Run” key to the Windows registry to establish persistence, then runs a portable Python interpreter also included in the archive. This tool runs an open source hacking tool encoded in Base64 directly in memory.
In turn, the malware begins communicating with a command and control server, which is standard behavior for remote access Trojans.
“This campaign serves as a reminder that phishing is not limited to email inboxes. Phishing attacks take place on alternative channels such as social media, search engines and messaging apps – platforms that many organizations still neglect in their security strategies,” ReliaQuest said.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets such as executives and IT administrators, making them invaluable to cybercriminals. »
Via Cybernews
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
