Targeting several key industries, this new campaign likely seeks to aid the Iranian government with information that could be of use to further Iran’s economic and security goals.
This month, security vendor FireEye has identified a new phishing campaign targeting organizations in Oil and Gas, Energy and Utilities, and Government sectors, leveraging LinkedIn as the medium to both establish contact and deliver malware. The FireEye Labs Advanced Reverse Engineering (FLARE) released details on this campaign by Iranian-nexus threat actor APT34 in which the following takes place:
- The target victim is contacted via LinkedIn by a user who claims to be “Research Staff at University of Cambridge”
- A solicitation for a job is communicated to the victim and is asked to provide a resume, all via LinkedIn messaging
- The victim is then asked to fill out a document as part of the process and a link is provided using the somewhat convincing cam-research-ac.com domain
- Once downloaded and opened, the document runs VBA script to create a file system.doc that is eventually launched upon closing the initial download
- The Tonedeaf malware is a backdoor that communicates via HTTPS or DNS and can be used to collect system information, upload files, and run commands
While the latter part of the attack seems like the more malicious part of the campaign, it’s the beginning that you should actually be worried about. The use of a legitimate service like LinkedIn add credibility to the phishing account, and the context of a business proposition (such as a job opportunity) is contextually accurate for communications within LinkedIn.
All this spells doom for unwitting users that simply aren’t paying attention. Users need to undergo frequent Security Awareness Training to educate them on tactics like these, so that they are vigilant when interacting with anyone on the web or via email – and, especially when someone sends an unsolicited document and asks for it to be opened.