Watch out for these fake job offers on LinkedIn - they could lead to malware
Attackers are using social media to dupe job seekers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A North Korean hacking group is believed to be behind a new malware campaign that makes use of fake job offers on LinkedIn to lure its victims.
The group is posting fake job offers in the media, tech and defense industries under the guise of legitimate recruiters. They even impersonated the New York Times in one ad.
Threat intelligence firmMandiantdiscovered the campaign has been ongoing since June 2022. It believes it is related to another malware campaign originating from North Korea, conducted by the infamous Lazarus group, known as “Operation Dream Job” which breaches systems belonging to crypto users.
Phishing for victims
Mandiant, for its part, believes the new campaign is from a separate group to Lazarus, and is unique in that the TouchMove, SideShow and TouchShift malware used in the attacks have never been seen before.
After a user responds to the LinkedIn job offer, the hackers then continue the process onWhatsApp, where they share a Word document containing dangerous macros, which install trojans from WordPress sites that the hackers have cracked and use as their control center.
This trojan, based on TightVNC and known as LidShift, in turn uploads a malicious Notepad++ plugin that downloads malware known as LidShot, that then deploys the final payload on the device: the PlankWalk backdoor.
After this, the hackers then use a malware dropper called TouchShift, concealed in a Windows binary file. This loads a plethora of additional malicious content, including TouchShot and TouchKey, a screenshot utility and keylogger respectively, as well as a loader call TouchMove.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It also loads another backdoor called SideShow, which allows for high-level control over the host’s system, such as the ability to edit the registry, change firewall settings and execute additional payloads.
Google says North Korea targeted an Internet Explorer zero-day vulnerability
Researching North Korea online? You could be victim of a malware attack>LinkedIn has a problem with fake profiles
The hackers also used the CloudBurst malware on companies that didn’t use aVPN, by abusing the endpoint management serviceMicrosoftIntune.
In addition, the hackers also exploited a zero-day flaw in the ASUS driver “Driver7.sys", which is used by another payload called LightShow to patch kernel routines inEndpoint protectionsoftware to prevent detection. This flaw has since been patched.
Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
