Linkedin ethical hacking: viruses and worms

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot.

What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the latest features, it also employs a Telegram Bot that enables the purchasers to build the binary.

"The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies," researchers from Cyble said in a report published last week.

Each of the modules can be leased separately and provides paid access to a wide variety of functions -

• Eternity Stealer ($260 for an annual subscription) - Siphon passwords, cookies, credit cards, browser cryptocurrency extensions, crypto wallets, VPN clients, and email apps from a victim's machine and sends them to the Telegram Bot

• Eternity Miner ($90 as an annual subscription) - Abuse the computing resources of a compromised machine to mine cryptocurrency

• Eternity Clipper ($110) - A crypto-clipping program that steals cryptocurrency during a transaction by substituting the original wallet address saved in the clipboard with the attacker's wallet address.

• Eternity Ransomware ($490) - A 130kb ransomware executable to encrypt all of the users' files until a ransom is paid

• Eternity Worm ($390) - A malware that propagates through USB Drives, local network shares, local files as well as via spam messages broadcasted on Discord and Telegram.

• Eternity DDoS Bot (N/A) - The feature is said to be currently under development.

Cyble pointed out there are indications that the malware authors may be repurposing existing code related to DynamicStealer, which is available on GitHub, and trading it under a new moniker for profit.

It's worth noting that Jester Stealer, another malware that came to light in February 2022 and has since been put to use in phishing attacks against Ukraine, also utilizes the same GitHub repository for downloading TOR proxies, indicating possible links between the two threat actors.

The cybersecurity firm also said it "has observed a significant increase in cybercrime through Telegram channels and cybercrime forums where [threat actors] sell their products without any regulation."

Just last week, BlackBerry exposed the inner workings of a remote access trojan called DCRat (aka DarkCrystal RAT) that's available for sale at cheap prices on Russian hacking forums and uses a Telegram channel for sharing details regarding software and plugin updates.

Security researchers are warning that LinkedIn has become the most spoofed brand in phishing attacks, accounting for more than 52% of all such incidents at a global level.

The data comes cybersecurity company Check Point, who recorded a dramatic uptick in LinkedIn brand abuse in phishing incidents in the first quarter of this year.

According to the company, in the last quarter of 2021, LinkedIn held the fifth spot on the list, the count for impersonating attacks being a much lower 8%.

The second most mimicked brand is German package delivery DHL, which previously was at the top of the list. A contributing factor for this was the increased shopping during the holiday season.

Combining DHL with FedEx, Maersk, and Ali Express, shipping-related phishing messages accounted for 21.8% in the first three months of 2022, still holding a significant portion.

In a LinkedIn impersonation sample that Check Point provided, the phishing email reaching the target’s inbox features LinkedIn logos and company-specific style, with a fraudulent request to connect with a made-up firm.

Clicking on the “Accept” button takes the victim to a phishing website that looks like an actual LinkedIn login page hosted on at an unofficial URL - carriermasr.com/public/linkedin.com/linkedin.com/login.php

Social media phishing is on the rise, as also reported Vade cybersecurity company recently. This is because the takeover of accounts on these platforms opens up a host of practical possibilities for the threat actors.

For example, the hackers may use compromised social media accounts to perform highly effective spear-phishing attacks, post links to malware-hosting sites, or send spyware directly to users who trust them.

In the case of LinkedIn, which is a professional-focused social media platform, the threat actors are likely aiming to perform spear-phishing attacks on high-interest targets, employees of specific companies and organizations.

Another potential exploitation scenario would be sending laced documents masqueraded as job offers to specific targets, convincing them to open the files and activate malicious macro code.

For example, North Korean hackers have launched multiple spear-phishing campaigns in the past that leveraged LinkedIn, which proved to be very effective.

However, the scale recorded by Check Point this time indicates that LinkedIn impersonation is no longer limited to advanced, narrow targeting threat groups like Lazarus.

Introduction

Trojans

Trojans :: Lab

Viruses and Worms

Viruses and Worms :: Lab

Malware Analysis

Malware Detection

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.