A new malware spread campaign was found.

A new malware spread campaign was found via a private message box on LinkedIn.

LinkedIn can be a popular professional social media, where people working from lower to higher levels are active in job hunting, networking or even finding business partners. This makes contact with each other via DM or Direct Message very popular, and this has become a channel used by hackers to reach victims.

According to a report by the website Security Brief, a research team from ReliaQuest, an expert company in cyber attack response, revealed victim fraud campaigns through a private message channel on LinkedIn in a phishing way to release malware created on the basis of the Python language (no malware is identified) on the victim. The research team said that because the platform has created a reliable application atmosphere, it is easy to build trust in victims working within companies to open up deception to pave the way for malware to access the systems of companies, organizations and businesses.

In the field of malware release deception, it starts with a hacker sending a private message to the victim through a private message box on LinkedIn. The message sent is tempting the victim to download a compressed file. When the file is unpacked, there are four files.

Application file for reading real PDF genus files (PDF Reader)

DLL (Dynamic Link Library) file of malware

Tool file for running Python

And another RAR file that distracts the victim.

According to the research team, hackers often name files seriously, as files for business contact companies such as "Upcoming _ Products .pdf" and "Project _ Execution _ Plan.exe," to lure victims into believing and opening files.

The embedding of the malware begins after the victim runs the PDF Reader application file, a genus file. Exe for running. Although the file itself is a genuine application, running it will lead to a malware DLL file that has been modified by hackers to interoperate with the application. This is a technique called DLL Sideloading. After the DLL file is run, Python Interpreter is placed on the same folder on the victim's system. This step will create persistence on the victim's system by embedding Python malware code into the Run Key Registry.

After the Interpreter is triggered, it decoding the encrypted Shellcode script in Base64 directly into memory through the Python's exec () function. The malware then contacts the C2 or Command and Control server to wait for the next attack command.

ReliaQuest does not specify what kind of malware it is, how it works, or even what the main purpose of using the mentioned malware. It only says that the research team has placed it in the same category as other social media attack campaigns with the purpose of stealing financial information or the purpose of stealing the victim's money. It is expected that this malware will work in a similar way to the malware created to steal other financial information, such as "More _ eggs," which is spread through social media with the skills of famous hackers like FIN6 and Cobalt Group.

# Programmer # Trending # lemon 8 diary # freedomhack # Lemon 8 Howtoo