(Image credit: Shutterstock / Primakov)
- **Sophisticated LinkedIn phishing uses fake job ads to target executives **
- Attacks employ DLL sideloading and Python tools to install remote access trojans
- ReliaQuest warns phishing extends beyond email, exploiting overlooked social media platforms
Business executives and IT admins are being targeted by a highly sophisticated phishing attack which doesn’t happen in the email inbox but rather - on LinkedIn.
Security researchers ReliaQuest said they saw a new attack that combines legitimate Python pentesting projects, DLL sideloading, and fake job ads, to infect “high-value targets” with remote access trojans (RAT).
As per ReliaQuest’s report, the victims are caref…
(Image credit: Shutterstock / Primakov)
- **Sophisticated LinkedIn phishing uses fake job ads to target executives **
- Attacks employ DLL sideloading and Python tools to install remote access trojans
- ReliaQuest warns phishing extends beyond email, exploiting overlooked social media platforms
Business executives and IT admins are being targeted by a highly sophisticated phishing attack which doesn’t happen in the email inbox but rather - on LinkedIn.
Security researchers ReliaQuest said they saw a new attack that combines legitimate Python pentesting projects, DLL sideloading, and fake job ads, to infect “high-value targets” with remote access trojans (RAT).
As per ReliaQuest’s report, the victims are carefully chosen and reached out with an invitation to a business project or a job. The LinkedIn message comes with a download link which, if clicked, downloads a WinRAR self-extracting archive (SFX). The filename is usually tailored to the victim’s role, such as a product roadmap or project plan.
Deploying the RAT
When the victim opens the archive, it automatically extracts several files to the same folder, making the package look legitimate. The victim then launches the PDF reader that’s included in the archive, believing they are opening a normal document.
This reader then loads a malicious DLL that was also included in the archive. This method, known as DLL sideloading, executes the attacker’s code without raising immediate security alerts, it was explained.
The malicious DLL adds a Windows registry “Run” key to establish persistence and then runs a portable Python interpreter that was also included in the archive. This tool runs a Base64-encoded, open-source hacking tool directly in memory.
In turn, the malware begins communicating with a command-and-control server, which is standard behavior for remote access trojans.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps – platforms that many organizations still overlook in their security strategies,” ReliaQuest said.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets like executives and IT administrators, making them invaluable to cybercriminals.”
*Via *Cybernews
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.