Cybersecurity researchers have discovered another fake job campaign that distributes deadly malware.
Unlike previous versions, this version does not carry the usual banking Trojan functions, leading researchers to speculate that malware is being modified to distribute it. ransomware.
Fake job offers on LinkedIn
Mandiant dubbed this version LDR4, after it was discovered in late June 2022. To distribute the malware, threat actors create fake LinkedIn accounts, pretending to be employers of major companies. After reaching their goals and engaging in conversation to establish some legitimacy, they share the link.
The linked website then asks victims to solve a CAPTCHA challenge to download an Excel document that purports to give more details about the site, but in fact carries a malicious macro that fetches malware from a remote location.
Since LDR4 comes in the form of a .DLL file (loader.dll), is packed by portable executable encoders, and signed with valid certificates, it avoids exposing some Antivirus (Opens in a new tab) Researchers warned.
Once the .DLL file is run, it collects system service data from the Windows registry and creates a user and system ID. It also communicates with the Malware Command and Control (C2) server to get a list of commands it needs to execute.
Currently, researchers cannot confirm 100% of Ursnif’s endgame, but they note that a threat actor has been observed allegedly asking partners to distribute ransomware and the RM3 version of Ursnif via secret hacking forums.
The last time we heard about Arsenev was In January 2022when HP Wolf Security noticed that it was being distributed, via armed Excel files, among Italian-speaking users.
Across: Computer (Opens in a new tab)