- Sophisticated LinkedIn phishing uses fake job ads to target executives
- Attacks use DLL sideloading and Python tools to install remote Trojans
- ReliaQuest warns that phishing extends beyond email and exploits overlooked social media platforms
Business leaders and IT administrators are being hit by a highly sophisticated phishing attack that is not happening in the email inbox, but rather – on LinkedIn.
Security researchers ReliaQuest said they saw a new attack that combines legitimate Python pentesting projects, DLL page loading and fake job ads to infect “high-value targets” with remote access Trojans (RATs).
According to ReliaQuest’s report, the victims are carefully selected and reached out with an invitation to a business venture or job. The LinkedIn message comes with a download link which, if clicked, downloads a WinRAR self-extracting (SFX) archive. The file name is usually tailored to the victim’s role, such as a product roadmap or project plan.
Implementation of RAT
When the victim opens the archive, it automatically extracts multiple files to the same folder, making the package look legitimate. The victim then launches the PDF reader included in the archive, thinking they are opening a normal document.
This reader then loads a malicious DLL that was also included in the archive. This method, known as DLL sideloading, executes the attacker’s code without raising immediate security warnings, it was explained.
The malicious DLL adds a Windows registry key “Run” to establish persistence and then runs a portable Python interpreter that was also included in the archive. This tool runs a Base64 encoded, open source hacking tool directly in memory.
In turn, the malware begins communicating with a command-and-control server, which is standard behavior for remote access Trojans.
“This campaign serves as a reminder that phishing is not limited to email inboxes. Phishing attacks occur across alternative channels such as social media, search engines and messaging apps – platforms that many organizations still overlook in their security strategies,” said ReliaQuest.
“Social media platforms, especially those frequently accessed on corporate devices, give attackers direct access to high-value targets like executives and IT administrators, making them invaluable to cybercriminals.”
Via Cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
