Key Takeaways
- A phishing campaign is exploiting a legitimate, open-source penetration testing tool to distribute a Remote Access Trojan (RAT) to victims via LinkedIn private messages.
- The campaign targets high-value individuals, including business executives and IT administrators, with industry-related lures to establish trust.
- The phishing link contains a malicious WinRAR self-extracting archive that extracts a legitimate PDF reader and a malicious DLL file.
- The attackers use DLL sideloading to complicate detection and disruption, and an open-source penetration testing tool to maintain a foothold on the infected machine.
- Organizations should conduct social media-specific cybersecurity training and implement controls to restrict access to personal social media accounts on corporate devices.
Introduction to the Phishing Campaign
A phishing link delivered via private messages on LinkedIn is exploiting a legitimate, open-source penetration testing tool in a campaign designed to distribute a Remote Access Trojan (RAT) to victims. This campaign has been detailed by threat researchers at ReliaQuest, who describe it as “particularly concerning” because of how attackers combine legitimate software tools with the credibility of a social media platform to increase their odds of success. The campaign is directed towards “high-value individuals” who are specifically targeted, including business executives and IT administrators. The attacks begin by abusing LinkedIn’s professional networking context with an industry-related lure directed at the target to establish trust, before eventually sending the phishing link designed to compromise them.
The Phishing Link and Malware
The phishing link contains a malicious WinRAR self-extracting archive (SFX) which upon execution extracts a legitimate open-source PDF reader, alongside a malicious DLL file, disguised to share the same name as a benign file used by the PDF reader. Researchers noted that the file names are carefully crafted to align with the recipient’s role or industry to help them look more legitimate and increase the attackers’ chance of success. If the victim extracts the PDF reader, the malicious DLL exploits a technique known as DLL sideloading to complicate detection and disruption by placing itself in the same directory as a legitimate application. This allows the attackers to maintain a foothold on the infected machine, plus the ability to exfiltrate data, escalate privileges, and move laterally within the network.
The Use of Legitimate Tools and Social Media
ReliaQuest researchers noted that similar social media-based campaigns have previously been leveraged to distribute trojan malware to victims. By distributing the malicious payloads via LinkedIn or other social platforms, attackers hope to exploit blind spots that cybersecurity protections of businesses may not have covered. The use of legitimate tools and social media platforms makes it easier for attackers to gain the trust of their victims and increase their chances of success. As ReliaQuest said in the blog post, “This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps − platforms that many organizations still overlook in their security strategies.”
The Importance of Social Media Security
Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets, making them invaluable to cybercriminals. To help users avoid falling victim to social media-based phishing attacks, ReliaQuest recommended that employers conduct social media-specific cybersecurity training and encourage staff to treat unexpected links or files sent through LinkedIn or other platforms with the same suspicion they treat similar messages received via email. Researchers also suggested that organizations should conduct an audit on the use of personal social media accounts on corporate devices, potentially implementing controls or restricting access to those not needed for work.
Conclusion and Recommendations
In conclusion, the phishing campaign exploiting a legitimate, open-source penetration testing tool via LinkedIn private messages is a significant threat to high-value individuals and organizations. To mitigate this risk, organizations must treat social media platforms as an integral part of their attack surface and adopt a proactive, defense-in-depth approach. By combining employee training, advanced detection tools, and strict platform usage policies, they can mitigate the risks and stay ahead of emerging tactics. As ReliaQuest said, “Organizations must treat social media platforms as an integral part of their attack surface and adopt a proactive, defense-in-depth approach. By combining employee training, advanced detection tools, and strict platform usage policies, they can mitigate the risks and stay ahead of emerging tactics.”
