Thursday, July 18, 2024

DUCKTAIL Malware Employs LinkedIn Messages to Execute Attacks

LinkedIn messages were used as a way to launch identity theft attacks in a malicious campaign that Cluster25 detected. 

They send messages from hacked accounts with PDF files that look like job offers. But these files have links to dangerous websites that can steal your data.

Cluster25 is a cybersecurity firm that specializes in threat intelligence and incident response. They discovered this campaign by analyzing the malicious domains and URLs used by the attackers. 

The hackers are using a type of malware called DuckTail, which can also take over your Facebook Business account. 

They are mainly targeting people who work in sales and finance in Italy.

How the Scam Works

The hackers send you a message from a hacked LinkedIn account with a PDF file with a job offer. For example, they might offer you a Senior Manager position at Electronic Arts (EA).

The PDF file has two links. One link takes you to a fake website that looks like EA’s website. It asks you to upload your resume and cover letter. 

The other link downloads a ZIP file from Microsoft OneDrive. The ZIP file has some video files and two files that look like Word documents but are malware.

malware files
malware files

The malware files are very hard to detect by antivirus software because they use a special technique called single-file application. They hide the malicious code inside other files of the application.

If you run the malware files, they will infect your computer and try to steal your information, such as cookies, session data, and browser credentials. 

They will also try accessing your Facebook Business account using the linked email.

Some hackers have made a fake DLL file that can spy on your web browser and send your data to them through Telegram. 

They trick you into running this file by sending you a PDF with a LinkedIn job offer.

The DLL file is made with Microsoft .NET and was created on September 18, 2023. It checks if there is another copy of itself running on your computer. 

If not, it makes a file with information about your computer, like your GUID and IP address. It also opens a PDF file with a job description to make you think everything is normal.

The DLL file then contacts the hackers through Telegram, using a BOT ID 6263348871. It sends them a message with your ChatID and some text. 

Then, it sends them ZIP files with your data using the /sendDocument API. The hackers have a configuration file with encryption keys, the Telegram Bot’s Token, the ChatID, and some email addresses.

The DLL file can steal cookies, session information, and saved credentials from web browsers like Microsoft Edge, Google Chrome, Brave Browser, and Mozilla Firefox. 

The hackers can use this data to pretend to be you online and access your accounts.

The DLL file also keeps running in the background, sending more data to hackers. 

It can also try to take over your Facebook Business account by sending links to email addresses from the configuration file. 

If you click on these links, the hackers might get access to your Facebook Business account.

This very dangerous and clever attack targets professionals who use LinkedIn. 

You should be careful about opening files or links from unknown sources and always use antivirus software to protect your computer.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles