Criminals Use LinkedIn to Install Malware in Companies

A new phishing campaign exploits messages on LinkedIn to distribute remote access trojans (RATs) in companies across different sectors. The operation, identified by ReliaQuest, highlights a security gap that does not monitor communication on social platforms.

How the Scam Works

ReliaQuest observed that criminals utilize the technique of DLL sideloading to evade detection. Criminals make contact with high-value individuals on LinkedIn, gradually earning their trust before sending malware.

This campaign covers multiple sectors and regions, making it difficult to quantify its scale, as direct messages on social networks receive less monitoring than corporate emails.

Recently, at least three campaigns have been documented using DLL sideloading to distribute malware known as LOTUSLITE and PDFSIDER, among others.

Social Engineering Attack

The attacks begin with a targeted approach to LinkedIn contacts, simulating job opportunities or partnerships. After some interactions, criminals persuade victims to download files that ostensibly contain project information.

The malicious files include a self-extracting package (SFX) which, upon execution, extracts components such as a legitimate PDF reader and a malicious DLL, as well as an executable of the Python interpreter.

DLL Sideloading and Its Implications

The DLL sideloading technique allows attackers to conceal their malicious activities by making a legitimate application execute code in the background. This often goes unnoticed by security systems.

The malicious DLL injects the Python interpreter into the victim's system and creates a key in the Windows Registry to ensure automatic execution, providing persistent control over the system.

The Python interpreter executes shellcode encoded in Base64 directly in memory, avoiding the creation of artifacts that could be detected by security tools.

Privilege Escalation and Control

According to ReliaQuest, this approach facilitates attackers in bypassing detections and expanding their operations. Once inside the system, they can escalate privileges and move laterally within the network.

"After the breach, unwanted access can compromise the entire corporate infrastructure," highlights ReliaQuest. Intruders can map internal networks and access sensitive data, such as database information.

LinkedIn as a Recurring Target

This is not the first time LinkedIn has been used for targeted attacks. In recent years, various criminals, including groups linked to activities in North Korea, have adopted similar tactics.

The modus operandi frequently involves initial contact under false pretenses related to job opportunities.

Social Media and Corporate Security

ReliaQuest warns that social platforms represent a critical gap in corporate security. Unlike email, where security measures are more implemented, direct messages on social networks are not adequately monitored.

As a result, platforms like LinkedIn allow malicious messages to reach employees without proper inspection, increasing the risk of phishing.

Recommendations for Organizations

ReliaQuest recommends that companies enhance their security defenses to include monitoring of social media. This includes training on phishing risks, and the implementation of tools like EDR (Endpoint Detection and Response) to identify techniques like DLL sideloading.

Additionally, users should be advised to be wary of irregular opportunities and verify the authenticity of connections and submissions on social networks.

Ultimately, the misuse of legitimate tools and the exploitation of social networks highlight that phishing methods need to be constantly reassessed to maintain security in corporate environments.