The employment industry has seen its share of ups and downs, and companies looking for the right talent haven’t always found the process to be easy. But as if that weren’t difficult enough, add malware to the problems: A fresh campaign is leveraging the Careerbuilder site to serve up completely realistic malware-laden documents.
Proofpoint threat researchers recently detected a clever email-based attack that combines phishing and social engineering techniques in order to trick users into opening a malicious document. Criminals browse open positions listed on the CareerBuilder.com online job search and recruiting service, and attach resumes to job postings as malicious documents in Microsoft Word format. The documents seem legit—they’re named “resume.doc,” or “cv.doc.”
Instead of following the recent trend of using macro-based malware of Office document attachments, the attachment is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF.
“MWI is an underground crime service—already well documented—that builds CVE-weaponized dropper or downloader documents for any malware,” Proofpoint explained. “A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately $2,000 to $3,000.”
The approach is a bit of genius as far as social engineering goes. As the security firm explained: “When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware. While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher.”
So, rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site. And the approach also translates into more bang for the buck: Once the document has been received by the owner of the job listing (often “hr@”) it will be sent to the hiring manager, interviewers and other stakeholders, who will open and read it as well.
“Taking advantage of this dynamic enables the attackers to move laterally through their target organization,” Proofpoint said.
The campaign is seemingly indiscriminate, low-volume and targets stores, energy companies, broadcast companies, credit unions and electrical suppliers. The actor appeared to target positions in engineering and finance, such as “business analyst,” “web developer,” and “middleware developer.”
“The skills listed for these positions can reveal valuable information about the tools and software that is running in the target organization and thus enable the actor to tailor their attack,” Proofpoint pointed out.
Once opened, the document exploits a known Word vulnerability to place a malicious binary that downloads and unzips an image file, which in turn drops the Sheldor rootkit on the victim’s computer.
“High-volume unsolicited email campaigns instead use attachments more often than URLs to deliver their malware, with a particular emphasis on malicious Office documents,” Proofpoint said. “This clever attack demonstrated techniques similar to those now used for URL-based campaigns, but this time to deliver malicious attachments, and exemplifies the practice of piggybacking on legitimate email services and sites in order to trick wary end-users and compromise targeted businesses.”