Phishing Campaign Hides Malware in Resumes

Phishing Campaign Hides Malware in Resumes

For many people, applying for a new job is a soul-crushing activity on a par with cleaning the bathroom in a six-person student dorm room. 

Landing a new role can mean spending hours searching for positions, rewriting your résumé and cover letter countless times and using LinkedIn to badger people you haven't spoken to for years into giving you a reference. 

Now cyber-criminals have given job seekers a fresh obstacle to contend with after targeting companies with a phishing campaign that hides malware in résumés sent as email attachments.

The advanced campaign, which uses multiple anti-analysis methods to deliver Quasar remote access tool (RAT), was uncovered by phishing defense service provider Cofense Intelligence

Quasar RAT by itself isn't dodgy, but this legitimate open-source remote administration tool that can be found on GitHub has a history of being abused.

“This campaign is concerning as the US-CERT identifies the Quasar RAT as a favored tool of advanced persistent threat actors. This means that the most dedicated cyber-criminals are seeking to utilize this tool to exploit networks," said Carl Wearn, head of e-crime at Mimecast.

From the outside the campaign appeared simple but a closer looked showed that the threat actors had done their homework. First, they used an easily accessible tool that makes attributing the campaign to a specific threat actor as easy as teaching a rhino the clarinet. 

Second, they laced the résumé attachment document being used to deliver Quasar RAT with a multitude of measures designed to deter detection, including password protection and encoded macros. 

Announcing its find, Cofense said that "educating employees on new phishing trends is the best way of countering a campaign such as this."

Wearn added: "I would urge individuals, particularly those working within HR departments and used to receiving résumés or CVs, to be particularly vigilant for this form of attack. Organizations should ensure they have an up-to-date antivirus solution that can effectively resolve and detect this form of attack.”

Source: Information Security Magazine