Severity
Medium
Analysis Summary
The popular professional networking and job search site, LinkedIn, is currently being used by some threat actors as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries. The bad actors also used a legitimate site hosting company, called Yola, to host the malicious content in an attempt to further look legitimate. The .NET-based binaries hosted on this site are related to the Agent Tesla malware and another previously unseen in-the-wild malware family. Its major functionality is information stealing and exfiltrating data through SMTP. Agent Tesla has been a frequent occurrence in cyber attack campaigns throughout the second quarter of 2020, and is active again.
Impact
- Credential theft
- Information theft
- Data exfiltration
Indicators of Compromise
Domain Name
- jobsfinder3ee[.]online
- mpivn[.]org
MD5
- f89b4dff6e126e9a5f0a64d590f7b42e
- 072462810ba6e5a7161b35b8535b55bd
- 78d029254cb2350260967feb983d487f
- 8cb05c44406adbe13690d816759658da
- 73ee4b60893b0ccc20079882aae66e2f
- f4755749ad038edc337c3b23c7b065f5
SHA-256
- af167a7b57f801b1572494a2b44d8e5320da45093e4dc3bb6658437b9f809feb
- be0990a7683a879d0ffe1aeb3901bf994c2080eb5ef9c5e55336bbe07f871888
- d5bd4cf398105b08104ea77d804a4163c7f97416a5f23960c40cdc3d4b23d018
- f87573a1d89beeff44902d83af24e8653630bddf37d9f8b40ec04d3ee04ac10b
- e9b819af7e2808e18b14c7ea7d0a634ca4a16e26f244d54f40a1f341439e4f76
- 5afe2c2b05c7d5ab5cb3542650738d31860466c650450a0266ce6f9f23195232
SHA1
- 8507798b3102513c97e63a51615eb49565b2725f
- ad7e6431be53378d5111c782d1c819acc823d01b
- aa1b9665226299fa66ea9b6801f93a9270cacd65
- cee5c6eeef1a1c1a423858612f543a345d22cab5
- 9fe6854715764c713019c3e315c3db5e88f45aeb
- 255588598aaa210f025f41d8b0afbf132c6537e9
URL
- http[:]//mpivn[.]org/LinkedIn-jobs
- https[:]//mpivn[.]org/LinkedIn-jobs/
Remediation
- Block the threat indicators at their respective controls.
- Do not click on untrusted links that tempt you through job lures.
- Practice caution while trying to access the legitimate LinkedIn website.