Full Report
Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails…
Analysis Summary
# Tool/Technique: ConnectWise RAT
## Overview
This is a Remote Access Trojan (RAT) being distributed via a sophisticated LinkedIn phishing campaign utilizing fake InMail messages to trick victims into execution.
## Technical Details
- Type: Malware (RAT)
- Platform: Not explicitly stated, but typically targets Windows/Desktop OS based on ConnectWise usage contexts.
- Capabilities: Provides remote control and access once executed. The attack vector leverages social engineering through LinkedIn.
- First Seen: March 5, 2025 (based on article publication date, indicating recent activity).
## MITRE ATT&CK Mapping
Since the article focuses on the delivery method (phishing) and the payload (RAT), the mapping focuses on the initial access and execution:
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If the InMail contained an attachment/link leading to the payload)
- T1566.002 - Spearphishing Link (If the InMail directed the user to a malicious download)
- TA0002 - Execution
- T1204 - User Execution
## Functionality
### Core Capabilities
- Delivery via LinkedIn InMail messages.
- Exploitation of user trust through a social engineering pretext (phishing scam).
- Installation of a Remote Access Trojan (RAT) on the victim's system.
### Advanced Features
- Use of legitimate communication channels (LinkedIn InMail) to bypass standard email security controls. This suggests the use of social engineering tailored to the platform.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context]
- Behavioral Indicators: Execution following interaction with a malicious link or attachment received via a LinkedIn InMail.
## Associated Threat Actors
- [Not explicitly named, but associated with a "LinkedIn Phishing Scam"]
## Detection Methods
- Signature-based detection: Focus on known signatures/hashes of the ConnectWise RAT payload if identified.
- Behavioral detection: Monitoring for unusual process creation or network connections originating from user-executed files linked to LinkedIn communications.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Educate users about highly targeted phishing attempts, specifically those originating from professional networking platforms like LinkedIn.
- Implement strict application whitelisting policies, especially for applications downloaded or executed post-interaction with unsolicited messages.
- Configure network security tools to inspect traffic for known C2 patterns associated with ConnectWise RAT variants, if known.
## Related Tools/Techniques
- Phishing (General Social Engineering)
- Spearphishing via non-email channels (e.g., direct messaging platforms)