LinkedIn ‘Job Offers’ Targeted Aerospace & Military Personnel

A recent malware campaign targeted victims at European and Middle East aerospace and military companies, using LinkedIn spear-phishing messages posing as recruiters in order to steal information and money from the military and aerospace executives.

Attackers are impersonating human resource employees from Collins Aerospace and General Dynamics in a spear-phishing campaign leveraging LinkedIn’s messaging service. Targets are sent phony job offers that include malicious documents designed to fetch data-exfiltrating malware.

To trick prospective victims, the attackers created fraudulent LinkedIn accounts impersonating human resources or hiring managers from various aerospace and defense companies, including Collins Aerospace and General Dynamic, ESET explains. Then they used LinkedIn’s messaging feature to reach out to targeted employees and offer an employment opportunity, in hopes of getting them to open a malicious file sent either directly through LinkedIn or via a combination of email and OneDrive.

Researchers believe the primary goal of the attacks, which occurred from September to December 2019, was espionage and some suggested that they may also have financial motives.

Victims were first sent a job offer in a LinkedIn message from a “well-known company in a relevant sector.” These included Collins Aerospace, a major US supplier of aerospace and defense products, and General Dynamics, another large US-based corporation. 

The “job offer” file was a password-protected RAR archive containing a LNK file. Once opened, the messages contained a seemingly-innocuous PDF document that showed salary information related to the fake job. However, the PDF was a decoy:

Behind the scenes, a Command Prompt utility (a command-line interface program used to execute commands in Windows) was executed to create a scheduled task. 

Attackers are making use of a Windows component called Task Scheduler, which provides the ability to schedule the launch of programs at pre-defined times. The scheduled task was set to execute a remote XSL script. XSL, or Extensible Stylesheet Language files, are commonly used for processing data within XML files. The XSL script downloaded base64-encoded payloads, which were then decoded by a legitimate Windows utility, called Certutil. This is used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates. Another Windows command line utility program was then used, called rundll32 (used for loading DLLs), to finally download and run a PowerShell DLL. 

The abuse of these two legitimate, preinstalled Windows utilities by attackers is a common method called ‘living off the land’ used as a way to covertly carry out activity under the guise of regular activity.

Since the logging of executed PowerShell commands is disabled by default, researchers couldn’t retrieve the commands used by the malware. However, they found that the attackers queried the AD (Active Directory) server to obtain a list of employees, including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts.

In one situation, attackers found communication between the victim and a customer regarding an unresolved invoice. The attackers followed up in the conversation, purporting to be the victim, and urged the customer to pay the invoice to a bad actor controlled bank account. Paul Rockwell, head of trust and safety with LinkedIn, said that the creation of a fake account or fraudulent activity with an intent to mislead or lie to LinkedIn members “is a violation of our terms of service.”

Researchers warn to keep an eye out for the staples of spear-phishing emails, such as suspicious attachments and spelling errors, that can even be found on LinkedIn.

In the case of one scam, the adversaries impersonated one of their targets, sending an email with a fake invoice to one of the victim’s customers, hoping to persuade the recipient to route a bank payment to the attackers’ account. The fraud was exposed when the customer emailed back the legitimate target company instead of the attackers.

LinkedIn:    Threatpost:       SC Magazine:      Infosecurity

You Might Also Read:

Reputational Damage & The Human Factor In Social Media:

 

« Webinar: How To Protect All AWS Services & Surfaces
Artificial Intelligence – A Brief History »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

SC Media

SC Media

SC Media arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

NRD Cyber Security

NRD Cyber Security

NRD Cyber Security create a secure digital environment for countries, governments, and organisations and implement cybersecurity resilience enhancement projects around the world.

Immersive

Immersive

Immersive unifies Cyber Drills, Exercises, Sims, Ranges, and Training into one single, adaptive platform. One Platform. Total Cyber Resilience.

GreyCortex

GreyCortex

GreyCortex uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

Ecubel

Ecubel

Ecubel is the market leader in Belgium in buying and selling used IT harware guaranteed by a certified data erasure.

Kalima Systems

Kalima Systems

Kalima’s mission is to securely collect, transport, store and share Industrial IoT (IIoT) trusted data in real time with devices, services and mobile workers.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

Network Contagion Research Institute (NCRI)

Network Contagion Research Institute (NCRI)

NCRI provides pioneering technology, research, and analysis to identify and forecast cyber-social threats targeting individuals, organizations, and communities.

Lightpoint Global

Lightpoint Global

Lightpoint Global is a bespoke software development company. We also provide a spectrum of services such as IT consulting, business analysis, QA and testing, and DevOps services.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.

ViroSafe

ViroSafe

ViroSafe is a leading value-added distributor of IT security solutions in Norway.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.

Ciena

Ciena

Ciena is a global leader in optical and routing systems, services, and automation software. We build the world’s most adaptive networks to address ever-increasing digital demands.