Highly targeted cyberattacks that use LinkedIn-based spearphishing, that stay under the radar and apparently having financial gain, in addition to espionage, as a goal, have been detailed by cyber company ESET. Its researchers named the cyberattacks Operation In(ter)ception based on a related malware sample named “Inception.dll,”, from September to December 2019.
The attacks started on LinkedIn. The claim; the messages were coming from recruiters, looking to take on staff from various functions – sales, marketing, and tech. The recruiters were fake. The moral of the story for ESET; a need for defences against intrusions; and, cybersecurity training for employees against social engineering techniques.
Dominik Breitenbacher was the ESET malware researcher who analysed the malware and led the investigation. He said: “The message was a quite believable job offer, seemingly from a well-known company in a relevant sector. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious.”
The files were sent directly via LinkedIn messaging, or via email containing a OneDrive link. For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas. As ESET pointed out in a briefing before release of their findings, the messages did contain grammar errors; however, if people receiving the mails were keen enough to be taken in by the messaging, to seek a better-paid job, they might overlook those clues that the recruiters were not who they said they were.
Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the (fake) job offer was displayed. Meanwhile, malware was silently deployed on the victim’s computer. This way, the attackers had an initial foothold on the victim’s employer’s computer system.
Next, the attackers performed a series of steps that ESET researchers describe in their white paper “Operation In(ter)ception: Targeted attacks against European aerospace and military companies.” Among the tools the attackers used was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools. They also used so-called “living off the land” tactics: abusing preinstalled Windows utilities to perform various malicious operations.
Breitenbacher added: “The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to the infamous Lazarus group. However, neither the malware analysis nor the investigation allowed us to gain insight into what files the attackers were aiming for.”
Besides espionage, ESET researchers found evidence that the attackers tried to use the compromised accounts to extract money from other companies.
Among the victim’s emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice – of course, to a bank account of their own.
See also the ESET blog and the website https://www.welivesecurity.com/.
Comment
Paul Rockwell, Head of Trust and Safety, LinkedIn said: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies. Our teams utilise a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service. In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.”
