PROCIRCULAR BLOG

Educating your business on the importance of cybersecurity

Sophisticated Threat Actors are using LinkedIn to Phish Employees

Posted by Aaron Heikkila on Sep 30, 2021 9:03:06 AM

Phishing via employment-focused social media is on the rise. While performing incident response over the last few months, ProCircular encountered multiple incidents where LinkedIn was used in employee phishing attacks. Several news articles raised awareness of this phishing vector over the last year, and the trend continues with a new wave of attacks by sophisticated threat actors.

The attackers are performing spear-phishing attacks against companies by luring their employees to click malicious links with promises of lucrative job offers. These attacks are successful when employees believe the attachments are legitimate and download a file with hidden malware. When they open the job description document, they unintentionally open a .lnk file that infects the More_Eggs toolkit. The perpetrator behind this attack is believed to be the threat actor known as FIN6. They have a reputation for targeting organizations with an online shopping presence. They hack into the networks to infect online payment portals with credit card-skimming code.

The Threat Response Unit (TRU) research team at eSentire reported on this spear-phishing activity last April. The attackers had gone dormant until they began a new wave of attacks in June and July. The attackers may have been dormant while they evolved their toolkit to evade antivirus and EDR. The new wave of attacks is almost identical to the attacks described by TRU. The full attack write-up by TRU can be found here.

For more information about this toolset, look here.

 

Indicators

 

TTP

Type

Description

Careersteps[.]net

URL

AWS website hosting the zip file containing the malicious lnk

C:\Users\<user>\AppData\Roaming\<filename>.csv

Filepath

Cobalt Strike beacon

C:\Users\<user>\AppData\Roaming\Microsoft\<filename>.txt

Filepath

Scripts and XML documents use with msxsl.exe

C:\Users\<user>\AppData\Roaming\Microsoft\msxsl.exe

Filepath

Signed Microsoft binary used by More_Eggs

Typepref.exe

LOLbin

Uncommon binary executed after the malware lands

HKCU:\Environment\UserInitMprLogonScript

Registry Key

Registry Key Persistence. Executes cscript to launch the malware

 

Topics: Incident Rsponse, hacking, risk

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates