Fake Corsair Job Offer – LinkedIn Used to Spread DarkGate Malware

Over the years, we’ve witnessed numerous methods used by cybercriminals to trick their victims into downloading malware on their devices. Most of the time, threat actors resort to social media accounts such as Facebook and Instagram. However, this time around, they’re spreading DarkGate malware through fake job offers on LinkedIn.

In this particular campaign, users are stumbling upon posts and direct messages sent by hardware maker Corsair.

In reality, it’s a lure to convince and trick them into installing info-stealing malware like DarkGate and RedLine.

We all know what RedLine is capable of – it has been around for quite some time now. But what about DarkGate? How are the threat actors pulling this off? We’ve discussed everything in the following article.

Fake LinkedIn Job – A DarkGate to Maliciousness

LinkedIn is one of the biggest professional platforms in the world. Users from all over the world join to find the right job, develop professional relationships, and gain the experience needed for a professional career.

Just like Instagram and Facebook, LinkedIn has millions of users – 950 million members, to be exact. With that number, threat actors can gain a lot of valuable information if successful with their campaign.

Speaking of, this new campaign on LinkedIn sees a particular group targeting users with fake Corsair job offers through regular posts and Direct Messages.

According to cybersecurity company WithSecure, the attack is linked to a Vietnamese threat group that was active earlier this year through multiple campaigns.

In this campaign, the group is spreading DarkGate – an info-stealing malware that first saw the light back in 2017. However, it remained limited until 2023, when its creator decided to sell it to a larger audience.

With updated DarGate capabilities, the group behind this attack is targeting users in the U.S., the U.K., and India who are looking for a job as Facebook Ads specialists at Corsair.

Within the DM or post, users are prompted to download malicious files, including a ZIP file (“Salary and new products.8.4.zip”).

When unzipped, users can find a TXT file as well as a DOCX document that includes the following:

• Corsair’s job description
• Products and Salary (.txt)
• Products and Salary (.pdf)

Once everything is in place and DarkGate takes root, it’ll attempt to uninstall security products from the compromised device. In other words, an automated process is in place.

LinkedIn does help out users with its own security measures, especially the ones used to fight abuse by determining fake and suspicious accounts.

Regardless, users should also keep an eye out for anything that can flag suspicion. They should remain vigilant when handling files and trusting anyone over social media platforms.

Remain Vigilant, Stay Safe!

When your device is breached, threat actors can gain access to sensitive data, such as usernames, passwords, and even banking accounts.

LinkedIn is the perfect place to find a job, and it’s your job to protect your information as well. Be careful; even LinkedIn can be used for malicious purposes.