The threat of malware strikes the business world again, and this time it’s using LinkedIn to trick users into downloading the DarkGate malware.
LinkedIn is designed to help professionals connect with each other and build professional relationships. It’s proven to be wildly popular, with 950 million members currently registered on the platform.
But where there are huge numbers of users, there will also be large amounts of data. And this data is like catnip to threat actors. This is why fake LinkedIn posts have started appearing on the platform. These posts, as well as a campaign of direct messages, are far from informative for the users of LinkedIn. Instead, they are being used to trick LinkedIn users, primarily those who hold positions within the social media niche, to download malware.
Unveiling the Essentials of DarkGate on LinkedIn
Security experts have been aware of DarkGate since 2017, but it was considered a low-level threat due to its limited activity in the digital wild. However, this changed in June 2023, when its creator began selling it as Malware-as-a-Service package. Since then, a campaign using DarkGate has been launched by threat actors, believed to be working in Vietnam, which targets LinkedIn users.
Mostly, these users have consisted of social media managers operating in the US, the UK, and India. Using LinkedIn posts, or sending direct messages to targets, the threat actors propose that a job offer at Corsair is on the table. LinkedIn is a highly popular recruitment tool, so there’s nothing out of the ordinary with these initial contacts. However, the targets are encouraged into downloading malicious documents, such as a Word document containing a job description and a text file discussing salary details.
Within these documents are malicious links. Once clicked, these links lead to a series of scripts being launched which are used to build DarkGate. The malware’s first move is to start uninstalling security tools located on the infected system. DarkGate’s next step is to begin harvesting data from the compromised system. In particular, DarkGate appears to be targeting login credentials for Facebook business accounts, hence the focus on social media managers.
Protecting Your Credentials from DarkGate
If you’re a social media manager and regularly log on to LinkedIn, the advice is simple: stay away from any links relating to job offers for Corsair. Unfortunately, the threat actors are likely to change the details of their attack now that it’s started generating headlines. Nonetheless, you can still do the following to protect your credentials:
- Never click unsolicited links: it’s important to be vigilant against unsolicited links, especially when they’re found in unsolicited direct messages. If you do receive direct messages, or even emails, containing unsolicited links, it’s best to delete them and block the sender.
- Install all updates: clicking a malicious link can help threat actors exploit vulnerabilities within your PC, so you need to minimize the number of vulnerabilities which are present. The best way to achieve this is by always installing updates when prompted or making sure that automatic updates are activated.
- Use an authenticator app: both LinkedIn and Facebook allow you to use an authenticator app to provide a further layer of security to your credentials. Most commonly, the sites in question will require you, after entering your login credentials, to enter a unique code generated by the app. This means that, if your login credentials are compromised, they will be next to useless to threat actors.
For more ways to secure and optimize your business technology, contact your local IT professionals.