Cyber attacks use LinkedIn to target companies and employees
Researchers at ESET have uncovered cyber attacks that use LinkedIn messaging as a starting point for achieving financial gain.
The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing.
According to ESET, the attackers employ effective tricks to stay under the radar and supposedly have financial gain, in addition to espionage, as a goal.
The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging, or via email containing a OneDrive link.
For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.
Dominik Breitenbacher, the ESET malware researcher who analysed the malware and led the investigation, states the LinkedIn profile was fake, and the files sent within the communication were malicious.
Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim's computer.
In this way, the attackers established an initial foothold and reached a solid persistence on the system, ESET states.
Following this, the attackers performed a series of steps. Among the tools the attackers utilised was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.
In addition, they leveraged ‘living off the land’ tactics, including abusing preinstalled Windows utilities to perform various malicious operations.
The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to Lazarus group.
Breitenbacher states, despite this neither the malware analysis nor the investigation allowed the ESET team to gain insight into what files the attackers were aiming for.
Besides espionage, ESET researchers found evidence that the attackers attempted to use the compromised accounts to extract money from other companies.
Among the victims emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice of course, to a bank account of their own.
However, the customer of the company became suspicious and reached out to the company owner for assistance, thwarting the attackers attempt to conduct a so-called business email compromise attack.
Breitenbacher says, “This attempt to monetise the access to the victims network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees.
“Such education could help employees recognise even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception.”
ESET has released a whitepaper on the attack titled Operation In(ter)ception: Targeted attacks against European aerospace and military companies.