LinkedIn ‘Job Offers’ Targeted Aerospace & Military Personnel

Uploaded on 2020-07-01 in TECHNOLOGY--Hackers, JOBS-Careers, FREE TO VIEW, TECHNOLOGY-Key Areas-Social Media

A recent malware campaign targeted victims at European and Middle East aerospace and military companies, using LinkedIn spear-phishing messages posing as recruiters in order to steal information and money from the military and aerospace executives.

Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.

To trick prospective victims, the attackers created fraudulent LinkedIn accounts impersonating human resources or hiring managers from various aerospace and defense companies, including Collins Aerospace and General Dynamic, ESET explains. Then they used LinkedIn’s messaging feature to reach out to targeted employees and offer an employment opportunity, in hopes of getting them to open a malicious file sent either directly through LinkedIn or via a combination of email and OneDrive.

Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage and some suggested that they may also have financial motives.

Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace, a major US supplier of aerospace and defense products, and General Dynamics, another large US-based corporation. 

The “job offer” file was a password-protected RAR archive containing a LNK file. Once opened, the messages contained a seemingly-innocuous PDF document that showed salary information related to the fake job. However, the PDF was a decoy:

Behind the scenes, a Command Prompt utility (a command-line interface program used to execute commands in Windows) was executed to create a scheduled task. 

Attackers are making use of a Windows component called Task Scheduler, which provides the ability to schedule the launch of programs at pre-defined times. The scheduled task was set to execute a remote XSL script. XSL, or Extensible Stylesheet Language files, are commonly used for processing data within XML files. The XSL script downloaded base64-encoded payloads, which were then decoded by a legitimate Windows utility, called Certutil. This is used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows command line utility program was then used, called rundll32 (used for loading DLLs), to finally download and run a PowerShell DLL. 

The abuse of these two legitimate, preinstalled Windows utilities by attackers is a common method called ‘living off the land’ used as a way to covertly carry out activity under the guise of regular activity.

Since the logging of executed PowerShell commands is disabled by default, researchers couldn’t retrieve the commands used by the malware. However, they found that the attackers queried the AD (Active Directory) server to obtain a list of employees, including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts.

In one situation, attackers found communication between the victim and a customer regarding an unresolved invoice. The attackers followed up in the conversation, purporting to be the victim, and urged the customer to pay the invoice to a bad actor controlled bank account. Paul Rockwell, head of trust and safety with LinkedIn, said that the creation of a fake account or fraudulent activity with an intent to mislead or lie to LinkedIn members “is a violation of our terms of service.”

Researchers warn to keep an eye out for the staples of spear-phishing emails, such as suspicious attachments and spelling errors, that can even be found on LinkedIn.

In the case of one scam, the adversaries impersonated one of their targets, sending an email with a fake invoice to one of the victim’s customers, hoping to persuade the recipient to route a bank payment to the attackers’ account. The fraud was exposed when the customer emailed back the legitimate target company instead of the attackers.

LinkedIn:    Threatpost:       SC Magazine:      Infosecurity

You Might Also Read:

Reputational Damage & The Human Factor In Social Media:

 

« Webinar: How To Protect All AWS Services & Surfaces
Artificial Intelligence – A Brief History »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CDNetworks

CDNetworks

CDNetworks is a global content delivery network with a fully integrated cloud security solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content.

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

Payload Security

Payload Security

Payload Security's VxStream Sandbox is a fully automated malware analysis system.

Qufaro

Qufaro

Qufaro is a new initiative designed to make it simpler for those with career ambitions in cyber security to access the UK’s cyber-specific education and innovation opportunities.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

SecondWrite

SecondWrite

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Evanssion

Evanssion

Evanssion is a value added distributor specialized in Cloud Native & Cyber Security across Middle East & Africa.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

Cloud Software Group

Cloud Software Group

Cloud Software Group provides mission-critical software to enterprises at scale.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

Cyberagentur (Cyber Agency)

Cyberagentur (Cyber Agency)

Cyberagentur is the Federal Agency in Germany for innovation in cybersecurity. Our mission is to advance research and groundbreaking innovations in the field of cybersecurity and related technologies.

Instil Software

Instil Software

Instil helps technology brands transform, innovate and disrupt their markets with category-defining software products that challenge us to think, feel and act in new ways.

Ridgeline International

Ridgeline International

Ridgeline helps organizations manage digital risk through data privacy and secure infrastructure solutions.