Cofense uncovers new LinkedIn phishing rip-off delivering ConnectWise RAT. Find out how attackers bypass safety with faux InMail emails and easy methods to defend in opposition to this refined phishing tactic.
Cybersecurity researchers at Cofense have lately uncovered a misleading marketing campaign that distributes malicious software program utilizing a spoofed LinkedIn e-mail. This operation, detected by their Phishing Protection Heart and Intelligence groups, diverges from typical LinkedIn-themed phishing attacks, which often intention to steal consumer credentials or facilitate enterprise e-mail compromise. As an alternative, this marketing campaign delivers a distant entry trojan referred to as ConnectWise RAT.
The fraudulent e-mail is designed to imitate a notification for a LinkedIn InMail message, a characteristic that enables customers to contact people exterior of their rapid community. The e-mail successfully leverages LinkedIn’s branding, convincingly creating legitimacy. Nevertheless, cautious examination reveals that the e-mail makes use of an outdated template, paying homage to LinkedIn’s design previous to its 2020 consumer interface and branding overhaul.
The e-mail’s narrative centres round a supposed gross sales director from an organization requesting a services or products quote. This technique goals to create a way of urgency, prompting the recipient to reply rapidly. Nevertheless, the sender’s identification and the corporate talked about are fabricated.
The profile image used within the e-mail belongs to an actual particular person, Cho So-young, who’s the president of a Korean civil engineering group, whereas the corporate identify (DONGJIN Weidmüller Korea Ind) combines components of two reliable firms, however this firm doesn’t exist.
Clicking the “Learn Extra” or “Reply To” buttons embedded inside the e-mail triggers the obtain of the ConnectWise RAT installer. Curiously, the e-mail avoids the frequent tactic of straight prompting customers to obtain or run a file. This refined method is likely to be designed to bypass the suspicions of customers who’re skilled to be cautious of such direct requests.
Evaluation of the e-mail’s safety headers reveals that it fails Sender Policy Framework (SPF) and DomainKeys Recognized Mail (DKIM) authentication checks, indicating that the e-mail was not despatched from a reliable LinkedIn server and was not digitally signed.
Regardless of these crimson flags, the e-mail bypassed present safety measures, probably as a result of Area-based Message Authentication, Reporting & Conformance (DMARC) coverage being configured to mark the e-mail as spam slightly than outright rejecting it.
This marketing campaign has been lively since at the least Might 2024, with the e-mail template remaining constant. Nevertheless, whether or not earlier iterations of this marketing campaign additionally delivered the ConnectWise RAT stays unconfirmed.
“This marketing campaign was discovered to exist within the wild way back to Might 2024. Whereas the e-mail template has not modified since then, Cofense Intelligence was unable to substantiate whether or not this marketing campaign was used to ship ConnectWise RAT in prior samples that have been discovered by way of open-source intelligence,” researchers famous within the blog post.
Nonetheless, this marketing campaign highlights the evolving techniques of cybercriminals and the persistent menace of refined phishing attacks involving LinkedIn. Safety in opposition to such threats requires educating staff to fastidiously scrutinize e-mail senders particularly these requesting pressing actions, appropriately configuring e-mail authentication protocols (SPF, DKIM, and DMARC), and making certain your Secure Email Gateway (SEG) is configured to successfully filter and block suspicious emails.
