LinkedIn is a great portal to increase your professional network and there are actors who really want to connect with you and your connections. Remember, people often look at mutual connections before accepting some on they do not know personally. A casual acceptance can lend credibility to hackers’ requests to connect.
A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack. In a recent update Google's Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company's booby-trapped website "where a browser exploit was waiting to be triggered."
The new website claims the company is an offensive security company located in Turkey that offers pen testing, software security assessments and exploits. The website is said to have gone live on 17 March 2021. At least eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms (including Trend Macro, inspired by Trend Micro), were created for this purpose, with a few others posing as the chief executive officer and employees at the fictitious company. All the accounts have since been suspended.
As a precaution, Google has added the website's URL to its Safebrowsing blocklist service to prevent accidental visits, even though the site hasn't been found to serve any malicious content.
The campaign was investigated when it appeared that the adversary had created a research blog and multiple profiles on various social media platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust, only to deploy a Windows backdoor that came in the form of a trojanized Visual Studio Project.
Following the disclosure, researchers from South Korean cybersecurity firm ENKI revealed a zero-day in Internet Explorer that it said allowed the hackers to access the devices managed by its security team with malicious MHTML files. Microsoft later addressed the issue in its Patch update during March 2021.
The latest development is yet another example of attackers quickly shifting gears when their methods are discovered and exposed publicly. The real motive behind the attacks remains unclear as yet, although it is being suspected that the threat actor may be attempting to stealthily gain a foothold on systems in order to get hold of zero-day research, and in the process, use those unpatched vulnerabilities to stage further attacks on vulnerable targets of their choice.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments