LinkedIn ‘Job Offers’ Targeted Aerospace & Military Personnel

A recent malware campaign targeted victims at European and Middle East aerospace and military companies, using LinkedIn spear-phishing messages posing as recruiters in order to steal information and money from the military and aerospace executives.

Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.

To trick prospective victims, the attackers created fraudulent LinkedIn accounts impersonating human resources or hiring managers from various aerospace and defense companies, including Collins Aerospace and General Dynamic, ESET explains. Then they used LinkedIn’s messaging feature to reach out to targeted employees and offer an employment opportunity, in hopes of getting them to open a malicious file sent either directly through LinkedIn or via a combination of email and OneDrive.

Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage and some suggested that they may also have financial motives.

Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace, a major US supplier of aerospace and defense products, and General Dynamics, another large US-based corporation. 

The “job offer” file was a password-protected RAR archive containing a LNK file. Once opened, the messages contained a seemingly-innocuous PDF document that showed salary information related to the fake job. However, the PDF was a decoy:

Behind the scenes, a Command Prompt utility (a command-line interface program used to execute commands in Windows) was executed to create a scheduled task. 

Attackers are making use of a Windows component called Task Scheduler, which provides the ability to schedule the launch of programs at pre-defined times. The scheduled task was set to execute a remote XSL script. XSL, or Extensible Stylesheet Language files, are commonly used for processing data within XML files. The XSL script downloaded base64-encoded payloads, which were then decoded by a legitimate Windows utility, called Certutil. This is used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows command line utility program was then used, called rundll32 (used for loading DLLs), to finally download and run a PowerShell DLL. 

The abuse of these two legitimate, preinstalled Windows utilities by attackers is a common method called ‘living off the land’ used as a way to covertly carry out activity under the guise of regular activity.

Since the logging of executed PowerShell commands is disabled by default, researchers couldn’t retrieve the commands used by the malware. However, they found that the attackers queried the AD (Active Directory) server to obtain a list of employees, including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts.

In one situation, attackers found communication between the victim and a customer regarding an unresolved invoice. The attackers followed up in the conversation, purporting to be the victim, and urged the customer to pay the invoice to a bad actor controlled bank account. Paul Rockwell, head of trust and safety with LinkedIn, said that the creation of a fake account or fraudulent activity with an intent to mislead or lie to LinkedIn members “is a violation of our terms of service.”

Researchers warn to keep an eye out for the staples of spear-phishing emails, such as suspicious attachments and spelling errors, that can even be found on LinkedIn.

In the case of one scam, the adversaries impersonated one of their targets, sending an email with a fake invoice to one of the victim’s customers, hoping to persuade the recipient to route a bank payment to the attackers’ account. The fraud was exposed when the customer emailed back the legitimate target company instead of the attackers.

LinkedIn:    Threatpost:       SC Magazine:      Infosecurity

You Might Also Read:

Reputational Damage & The Human Factor In Social Media:

 

« Webinar: How To Protect All AWS Services & Surfaces
Artificial Intelligence – A Brief History »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

ACI Solutions

ACI Solutions

ACI Solutions is a managed IT services and network security provider working with diverse global commercial, government and public sector clients.

Robert Half Technology

Robert Half Technology

Robert Half Technology offers a full spectrum of technology staffing solutions to meet contract and full-time IT recruitment needs.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

Russell Reynolds Associates

Russell Reynolds Associates

Russell Reynolds Associates is a global leadership advisory and search firm with functional expertise in Digital Leadership, Data & Analytics, and Compliance.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

Execweb

Execweb

Execweb are a cybersecurity executive network, comprised of 400+ security practitioners who work at Fortune 500 and SME companies.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

National Information and Cybersecurity Council (NICC)

National Information and Cybersecurity Council (NICC)

National Information and Cybersecurity Council is a leading collaborative effort between Government of India and Industry to raise Cybersecurity awareness nationally.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Vambrace Cybersecurity

Vambrace Cybersecurity

Vambrace is an experienced cybersecurity consultancy and operations outsourcer helping you to secure your business in an increasingly-hostile cyber environment.

Seven AI

Seven AI

Seven AI develops cyber security software designed to identify online threats.

Scalarr

Scalarr

Scalarr is an innovative, next-generation cyber security firm focused on automation and AI to detect and prevent threats in mobile and Edge/IoT infrastructures.