Hackers are impersonating recruitment agencies on LinkedIn in a bid to target companies with backdoor malware.
Researchers at Proofpoint found that the malware campaigns primarily targeted US companies in various industries including retail, entertainment, pharmacy, and others that commonly employ online payments, such as online shopping portals.
In a blog post, the firm said hackers establish a relationship with potential victims by abusing LinkedIn's direct messaging service.
In follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor supports campaigns with fake websites that impersonate legitimate staffing companies. "These websites, however, host the malicious payloads. In other cases, the actor uses a range of malicious attachments to distribute More_eggs," the company said.
After a week, hackers then send a direct email to the target's work address reminding the recipient about the prior attempt to communicate on LinkedIn.
"It uses the target's professional title, as it appears on LinkedIn, as the subject, and often suggests the recipient click on a link to see the noted job description. In other cases, this actor used an attached PDF with embedded URLs or other malicious attachments," Proofpoint added.
The URLs link to a landing page that spoofs a real talent and staffing management company, using stolen branding to enhance the legitimacy of the campaigns. This page then kicks off the download of the malicious Word document that then attempts to download and execute the "More_eggs" payload if the recipient has enabled macros.
"These campaigns demonstrated considerable variability, with the actor frequently changing delivery methods and more," the researchers added.
They said that hackers are turning away from very large-scale "spray and pray" campaigns to focus more on focus on persistent infections with downloaders, RATs, bankers, and other malware.
The researchers warned: "We can expect more threat actors to adopt approaches that improve the effectiveness of their lures and increase the likelihood of high-quality infections."
