Cyber security researchers have detected another fake job campaign that distributes deadly malware.
Mandiant's latest report (opens in a new tab) revealed that a new version of the known malware (opens in a new tab) Ursnif (also known as Gozi) has been reported.
Unlike previous versions, this one lacks the usual banking Trojan functionality, leading researchers to assume that the malware is modified to distribute ransomware.
Fake LinkedIn Job Postings
Mandiant named this version LDR4, after detecting it in late June 2022. To spread the malware, threat actors create fake LinkedIn accounts, posing as recruiters for large corporations. After reaching their targets and striking up a conversation to establish some legitimacy, they share a bond.
The linked website then asks victims to complete a CAPTCHA challenge to download an Excel document that claims to offer more location details, but actually contains a malicious macro that retrieves the malware remotely.
Because LDR4 comes in the form of a .DLL file (loader.dll), is packaged by portable executable encryptors, and is signed with valid certificates, it evades detection by some antivirus solutions (opens in a new tab), the researchers warned. .
After the .DLL file is executed, it collects system service data from the Windows registry and generates a system and user ID. It also connects to the malware's command and control (C2) server to get the list of commands it needs to execute.
Researchers cannot currently confirm 100% that Ursnif is endgame, but have noted that a threat actor has been observed asking partners to distribute ransomware and the RM3 version of Ursnif via underground hacking forums. .
The last time we heard about Ursnif was in January 2022, when HP Wolf Security observed its distribution, via crafted Excel files, among Italian-speaking users.
Via: BleepingComputer (Opens in a new tab)