- Sophisticated LinkedIn phishing uses fake job ads to target executives
- Attacks employ DLL sideloading and Python tools to install remote access trojans
- ReliaQuest warns phishing extends beyond email, exploiting overlooked social media platforms
Business executives and IT admins are being targeted by a highly sophisticated phishing attack which doesn’t happen in the email inbox but rather – on LinkedIn.
Security researchers ReliaQuest said they saw a new attack that combines legitimate Python pentesting projects, DLL sideloading, and fake job ads, to infect “high-value targets” with remote access trojans (RAT).
As per ReliaQuest’s report, the victims are carefully chosen and reached out with an invitation to a business project or a job. The LinkedIn message comes with a download link which, if clicked, downloads a WinRAR self-extracting archive (SFX). The filename is usually tailored to the victim’s role, such as a product roadmap or project plan.
Deploying the RAT
When the victim opens the archive, it automatically extracts several files to the same folder, making the package look legitimate. The victim then launches the PDF reader that’s included in the archive, believing they are opening a normal document.
This reader then loads a malicious DLL that was also included in the archive. This method, known as DLL sideloading, executes the attacker’s code without raising immediate security alerts, it was explained.
The malicious DLL adds a Windows registry “Run” key to establish persistence and then runs a portable Python interpreter that was also included in the archive. This tool runs a Base64-encoded, open-source hacking tool directly in memory.
In turn, the malware begins communicating with a command-and-control server, which is standard behavior for remote access trojans.
“This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps – platforms that many organizations still overlook in their security strategies,” ReliaQuest said.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets like executives and IT administrators, making them invaluable to cybercriminals.”
Via Cybernews
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
