Hackers use fake resumes to steal credentials in a new phishing campaign. Researchers found the attack targeting French-speaking corporate environments. However, the attackers designed the campaign to appear harmless.
The emails contain fake resume attachments. For example, they pretend to be job applications. Therefore, HR teams often open them without suspicion. Once opened, the files trigger hidden malware. As a result, attackers gain access to enterprise systems. The campaign also deploys crypto miners and data stealers.
Phishing Emails Deliver Hidden Malware
The attack begins with phishing emails. These emails include attachments disguised as CV documents. However, the files are actually malicious scripts.
The scripts use Visual Basic technology. They contain heavy obfuscation to hide their true purpose. Therefore, security tools struggle to analyze them. When opened, the script shows a fake error message. For example, it claims the file is corrupted. However, malicious actions run silently in the background.
Obfuscation and Evasion Techniques
The script uses extreme obfuscation methods. It contains over 200,000 lines of code. However, only a small portion is functional.
The rest of the file includes random text. Therefore, it increases file size and avoids detection. This tactic helps bypass security analysis tools. The malware also checks the system environment. For example, it detects sandbox or test systems. Therefore, it avoids execution in safe environments.
Targeting Enterprise Systems Only
The malware uses a domain-checking mechanism. It verifies whether the system belongs to a corporate network. Therefore, it avoids infecting personal devices.
This approach ensures higher-value targets. Corporate systems often contain sensitive data. As a result, attackers focus on enterprise environments. Once confirmed, the malware requests admin privileges. It repeatedly prompts users until access is granted. Therefore, it gains deeper system control.
Disabling Security and Maintaining Access
After gaining access, the malware disables security protections. For example, it modifies antivirus settings. It also changes system configurations to reduce alerts.
The script removes itself after execution. However, it installs other malicious components. Therefore, it hides traces of the initial infection.
It downloads additional tools from cloud storage. These tools include credential stealers and persistence mechanisms. As a result, attackers maintain long-term access.
Credential Theft and Crypto Mining
The malware steals browser data and credentials. For example, it extracts saved passwords and session data. It also collects desktop files.
The attackers use multiple tools for data theft. Some target specific browsers, while others scan the system. Therefore, they gather large amounts of sensitive information. At the same time, the malware installs a crypto miner. It uses system resources to mine digital currency. Therefore, victims experience reduced performance.
Data Exfiltration and Cleanup
The stolen data is sent through email channels. The attackers use external mail servers to receive the information. Therefore, the data leaves the network unnoticed.
After completing the theft, the malware removes temporary files. However, it leaves key components active. These include the miner and persistent access tools. The entire attack runs very quickly. In many cases, it completes within seconds. Therefore, detection becomes extremely difficult.
How to Prevent Fake Resume Malware Attacks
Organizations should train HR teams to verify email attachments carefully. For example, they should avoid opening unknown resume files. However, awareness alone is not enough.
Companies should implement advanced email filtering and endpoint monitoring systems. These tools can detect suspicious scripts and abnormal behavior. In addition, managed detection services can identify rapid credential theft and unauthorized mining activity. Regular vulnerability assessments also help uncover weak configurations. Therefore, organizations can reduce the risk of fake resume phishing attacks.
Sleep well, we got you covered.
