March 13, 2023

According to security researchers at Mandiant, cybercriminals are targeting security researchers with a new malware campaign via fake job offers on LinkedIn.

The attackers are using job postings to deliver a backdoor trojan that can steal data from the victim’s computer. The malware is designed to avoid detection and employs a number of techniques to do so. “In this operation, Mandiant suspects UNC2970 specifically targeted security researchers,” Mandiant researchers wrote.

Plankwalk and other malware used in this attack are typically distributed via macros embedded in Microsoft Word documents. When the documents are opened and the macros are allowed to run, a malicious payload is downloaded and executed by the target’s machine from a command and control server.

The accounts are carefully crafted to look like legitimate people in order to fool targets and increase their chances of success. Eventually, the threat actor attempts to shift the conversations to WhatsApp and, from there, to deliver a backdoor via either WhatsApp or email. Mandiant refers to Plankwalk and other malware families.

Plankwalk and other malware are typically delivered via macros embedded in Microsoft Word documents. When the documents are opened and the macros are allowed to run, a malicious payload is downloaded and executed by the target’s machine from a command and control server.

The command-and-control servers used by the attackers are mostly compromised WordPress sites, which is another technique used by UNC2970. The target is infected by sending an archive file containing, among other things, a malicious version of the TightVNC remote desktop application.

The ZIP file delivered by UNC2970 contained what the victim mistook for a job application skills assessment test. In reality, the ZIP contained an ISO file containing a trojanized version of TightVNC identified by Mandiant as LIDSHIFT. The victim was instructed to launch the TightVNC application, which, along with the other files, is labeled with the name of the company for which the victim intended to take the assessment.

LIDSHIFT contained a number of hidden features in addition to functioning as a legitimate TightVNC viewer. The first was that when the malware was executed by the user, it would send a beacon back to its hardcoded C2; the only interaction required from the user was the program’s launch. This lack of interaction contrasts with what MSTIC observed in a recent blog post. The victim’s initial username and hostname are included in the initial C2 beacon from LIDSHIFT.

The attack then installs the Plankwalk backdoor, which can then install a variety of other tools, including the Microsoft endpoint application InTune. Endpoints enrolled in an organization’s Azure Active Directory service can be configured using InTune. UNC2970 appears to be utilizing the legal application to bypass endpoint protections.

The sources for this piece include an article in BleepingComputer.