Be Careful! There's Malware Under The Guise Of A Job Offer On LinkedIn
LinkedIn is known as a place to find jobs or recruit new employees, but lately the professional social network has been filled with malware under the guise of a false job offer.
Threat intelligence company Mandiant found the campaign had been going on since June 2022. And it is believed that the mastermind behind this fraud is a North Korean hacker group.
The group, Lazarus, known as Operation Dream Job, often violates crypto users' systems. They carry out a new malware campaign by taking advantage of fake job offers on LinkedIn to lure their victims.
Initially, they posted offers of fake jobs in the media, technology and defense industries under the guise of legitimate recruiters.
In fact, they also imitated the New York Times media in one ad. However, Mandiant believes the new campaign originated in a separate group for Lazarus, and is unique because the TouchMove, SideShow, and TouchShift malware used in attacks has never been seen before.
After users responded to LinkedIn's job offer, hackers then continued the process on WhatsApp, where they would share Word documents containing malicious macro, then install trojans from the WordPress site that had been hacked and used by hackers as their control center.
This Trojan, based on TightVNC and known as LidShift, in turn uploaded a malicious Notepad++ strike that downloaded the malware known as LidShot, then spread the final payload on the device, PlankWalk's backdoor.
After that, the hackers then used a malware dropper called TouchShift, which was hidden in the Windows binary file. It contains a large amount of additional malicious content, including TouchShot and TouchKey, each screenshot and keylogger utility, as well as TouchMove's calling.
In this way, another backdoor called SideShow was created, where hackers would gain high-level control over host systems, such as the ability to edit registries, change firewall settings, and run additional payloads.
Hackers also use CloudBurst malware in companies that do not use VPN, by abusing Microsoft Intune's end-point management services, as quoted by TechRadar, Tuesday, March 14.
Hackers also did not escape exploiting zero-day weaknesses in ASUS Driver7.sys, which other payloads call LightShow to routinely patch kernels in Endpoint's protection software, and prevent detection. Currently, the defect has been patched.