Phony Corsair LinkedIn Listing Contains DarkGate Malware

(Image credit: Corsair)

You can never be too careful when surfing the web, even if you’re looking for a new job. Corsair is a prominent name in the gaming hardware and accessories market, and it stands to reason that it would be a hot destination for enthusiasts in the market for a new job. However, some nefarious parties are using Corsair’s name to spread DarkGate malware to unsuspecting job seekers’ computers.

Bleeping Computer first noticed the report involving perpetrators from a Vietnamese cybercriminal ring using fake LinkedIn posts and direct messages to users about a job opening at Corsair. The phony content implies that Corsair is hiring a Facebook Ads specialist and targets LinkedIn users based in the United States, United Kingdom, and India. 

The LinkedIn posts and direct messages contain a link to a suspicious URL which is designed to appear as if it goes to Corsair, but does not. As if that URL isn’t suspicious enough, the link directs unsuspecting job applicants to a zip file (hosted by Dropbox or Google Drive) entitled “Salary and new” Contained within the zip file are the following files:

  • Job Description of Corsair.docx
  • Salary and new products.txt
  • PDF Salary and Products.pdf

According to WithSecure, the archive contains a VBS script that copies the Windows binary curl.exe to a different location and then renames it. The renamed file connects to an external site and downloads autoit3.exe and the autoit3 script. The executed script then manifests the DarkGate malware designed to extract sensitive information from its targets. The malware then tries to uninstall anti-malware software installed on a system, although WithSecure says that its software, along with Sophos and Forcepoint, thwarted those attempts.

DarkGate is related to previously identified Ducktail malware, which steals credentials/cookies and relays them to the bad actors. However, DarkGate has a more specialized component that targets Facebook Business accounts. “If it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator,” writes the security researchers at WithSecure. “[It] even has functionality to automatically create and publish fraudulent ad campaigns sent by the actor to the compromised device.”

We advise everyone to remain vigilant when dealing with unfamiliar or suspicious-looking posts and direct messages. And please, don’t go around haphazardly downloading and opening zip files, as you can’t always depend on your antivirus program to save your skin in every case.

Brandon Hill

Brandon Hill is a senior editor at Tom's Hardware. He has written about PC and Mac tech since the late 1990s with bylines at AnandTech, DailyTech, and Hot Hardware. When he is not consuming copious amounts of tech news, he can be found enjoying the NC mountains or the beach with his wife and two sons.

  • HaninTH
    "as you can’t always depend on your antivirus program to save your skin in every case."

    And this is why I do everything in purpose built VMs and only in the particular VM related to the action I am taking. I never surf the web or do any other dubious action from a VM setup to pay my bills online. I even go so far as to physically separate the VMs for general purpose internet activities to different physical VM hosts as to hopefully ensure that any exploitation of the VM host doesn't get to anything sensitive. The networks are VLANed with separate virtual routers which do not know the others exist as well. A lot of work for a sense of security, but it lets me sleep easier than if I were doing all of it from one bare metal OS/PC. I run all of this from repurposed/used, locally sourced, HP/Dell servers. You could, of course, do it with lesser equipment using a variety of lightweight VM software, I prefer ESXi and Hyper-V in tandem as I work with them daily as a profession.