A phishing link delivered via private messages on LinkedIn is exploiting a legitimate, open-source penetration testing tool in what cybersecurity analysts say is a campaign designed to distribute a Remote Access Trojan (RAT) to victims.
The campaign has been detailed by threat researchers at ReliaQuest, who describe it as “particularly concerning” because of how attackers combine legitimate software tools with the credibility of a social media platform to increase their odds of success.
Researchers said the campaign is directed towards “high-value individuals” who are specifically targeted, including business executives and IT administrators.
The attacks begin by abusing LinkedIn’s professional networking context with an industry-related lure directed at the target to establish trust, before eventually sending the phishing link designed to compromise them.
This link contains a malicious WinRAR self-extracting archive (SFX) which upon execution extracts a legitimate open-source PDF reader, alongside a malicious DLL file, disguised to share the same name as a benign file used by the PDF reader.
Researchers noted that the file names are carefully crafted to align with the recipient’s role or industry to help them look more legitimate and increase the attackers’ chance of success.
If the victim extracts the PDF reader, the malicious DLL exploits a technique known as DLL sideloading to complicate detection and disruption by placing itself the same directory as a legitimate application.
After this, persistence within the system is achieved with the aid of an open-source penetration testing tool, allowing the attackers to maintain a foothold on the infected machine, plus the ability to exfiltrate data, escalate privileges and move laterally within the network.
ReliaQuest researchers noted that similar social media-based campaigns have previously been leveraged to distribute trojan malware to victims. By distributing the malicious payloads via Linkedin or other social platforms, attackers hope to exploit blind spots that cybersecurity protections of businesses may not have covered.
“This campaign serves as a reminder that phishing isn’t confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps − platforms that many organizations still overlook in their security strategies,” ReliaQuest said in the blog post.
“Social media platforms, especially those frequently accessed on corporate devices, provide attackers with direct access to high-value targets… making them invaluable to cybercriminals”
To help users avoid falling victim to social media-based phishing attacks, ReliaQuest recommended that employers conduct social media-specific cybersecurity training and encourage staff to treat unexpected links or files sent through LinkedIn or other platforms with the same suspicion they treat similar messages received via email.
Researchers also suggested that organizations should conduct an audit on the use of personal social media accounts on corporate devices, potentially implementing controls or restricting access to those not needed for work.
“Organizations must treat social media platforms as an integral part of their attack surface and adopt a proactive, defense-in-depth approach. By combining employee training, advanced detection tools, and strict platform usage policies, they can mitigate the risks and stay ahead of emerging tactics,” ReliaQuest said.
Infosecurity has contacted LinkedIn for comment.
