Many employees are at least curious about their next job. That is the basis for this attack.
The attacker sends Linkedin direct messages from a legitimate Linkedin account.
If that doesn’t appeal to the target, the attacker sends emails to the targets business email address suggesting a job offer.
The links in the email points to web page that looks like the home page of a legitimate recruiter’s web site.
That web page will automatically download an infected Microsoft Office document. The Office document has malicious macros in it and it will try to get the target to enable macros.
Assuming the target enabled the macros, the attacker downloaded the last stage of the attack, a piece of backdoor software called More_eggs which allowed the attacker to control the infected computer. Forever!
Once they have control of the machine they can download whatever other payloads they want to in order to further the attack – or attack other systems.
While this attack has a lot of vectors to get the victim to download the infected Word document, it ultimately boils down convincing the user to enable macros.
If the user won’t click on the enable macro button, the entire scheme fails.
Through simulated phishing attacks and other training, we have tried valiantly to stop users from clicking on links like the one that says enabling macros is dangerous; only do it if you trust the sender. And people click on them anyway.
Judging by articles I found, this attack has been working since at least 2017. Apparently well enough for attackers to continue using it.
Users are almost always the weakest link in the security chain. This attack is no different.
Source: Bleeping Computer.