Hackers are targeting social media managers in the US, the UK, and India with info-stealing malware. The goal of the campaign is to gain access to their Facebook business accounts, through which they can later launch malicious advertising campaigns on the social media platform.
The campaign was spotted by cybersecurity researchers from WithSecure, who found the scammers, thought to be from Vietnam, are impersonating Corsair, a well-known American computer peripherals and hardware company, on LinkedIn. There, they have created a fake job ad for a social media management position at the company, and are using it to push a couple of documents to the victims.
One of the documents holds a VBS script which, if executed, will deliver either the RedLine Infostealer, or DarkGate, further down the line.
Fake jobs is an old trick
Gaining access to the victims’ social media accounts also gives them access to the credit cards linked to the accounts. That way, they can create – and pay for – various ads on the platform that has almost three billion monthly active users. These ads will, almost always, lead to a malicious site or promote malware in one way or another.
Fake job offers on LinkedIn are nothing new. North Korean threat actor Lazarus Group gained infamy by setting up fake job offers to lure in blockchain developers. In one such instance, cybersecurity researchers from Malwarebytes discovered a campaign in which Lazarus assumed the identity of Coinbase, one of the world’s biggest and most popular cryptocurrency exchanges.
The criminals reached out to blockchain developers with a job offer for the role of “Engineering Manager, Product Security”, and even conducted a few interviews, to make the whole campaign more believable. At one point, however, the attackers shared a file, seemingly a PDF, but in fact – malware.
Lazarus Group stole hundreds of millions of dollars in cryptocurrencies this way, throughout the years.
Via BleepingComputer
