Researchers uncovered a LinkedIn messaging phishing campaign that sends a WinRAR self-extracting archive which sideloads a malicious DLL, drops a Python interpreter that runs in memory, and attempts to install a remote access trojan.
KEY FACTS
- Incident LinkedIn private messages used to contact targets
- Delivery WinRAR self-extracting archive distributes four components
- Technique DLL side-loading MITRE ATT&CK
- Persistence Registry Run key launches a dropped Python interpreter
The archive unpacks a legitimate open source PDF reader, a malicious DLL that is sideloaded by that reader, a portable Python executable, and a RAR file that appears to be a decoy.
In a technical analysis by ReliaQuest, researchers reported that the sideloaded DLL drops the Python interpreter, creates a Registry Run key to ensure the interpreter runs at login, and executes Base64 encoded open source shellcode directly in memory.
The final payload attempts to contact an external server to grant persistent remote access and to exfiltrate data of interest. The campaign uses legitimate open source tools to reduce forensic artifacts and to evade detection.
Social media private messages are typically less monitored than email, creating an attack surface that can bypass email centric controls. Observed activity appears broad and opportunistic across sectors and regions.
WHY IT MATTERS
Using DLL sideloading with open source tools and social media lures increases the chance of evasion and persistent access. Security teams should include social media channels in their monitoring and detection coverage.