This fake job offer scam will just infect your device with deadly malware

Fraudsters are distributing Ursnif via LinkedIn alerts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers have spotted yet another fake job campaign distributing deadly malware.

Mandiant’s latestreportfound that a new version of knownmalwarethreat Ursnif (also known as Gozi) has been reported in the wild.

Unlike the previous versions, this one does not carry its usual banking trojan functionalities, prompting researchers to speculate the malware is being modded to distributeransomware.

Fake job offers on LinkedIn

Mandiant dubbed this version LDR4, after spotting it in late June 2022. To distribute the malware, the threat actors are creating fake LinkedIn accounts, posing to be recruiters for major companies. After reaching out to their targets and engaging in a conversation to establish some legitimacy, they share a link.

The linked website then demands victims solve a CAPTCHA challenge to download an Excel document that claims to offer more details about the position, but actually carries a malicious macro that fetches the malware from a remote location.

As LDR4 comes in the form of a .DLL file (loader.dll), is packed by portable executable crypters, and is signed with valid certificates, it evades detection from someantivirussolutions, the researchers warned.

Here are the best ID theft protection solutions around

This sneaky Microsoft Excel malware could put your organization at risk of attack>These fake US government job ads are spreading more malware

Once the .DLL file runs, it collects system service data from the Windows registry and generates a user and system ID. It also connects to the malware’s command and control server (C2) to obtain the list of commands it needs to execute.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Currently, the researchers can’t 100% confirm Ursnif’s endgame, but they did note that a threat actor was allegedly observed asking for partners to distribute ransomware and the RM3 version of Ursnif via underground hacking forums.

The last time we heard of Ursnif wasin January 2022, whenHPWolf Security observed it being distributed, via weaponized Excel files, among Italian-speaking users.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics