Evasive Resume Phishing Campaign Distributed Multiple Malware Payloads

person holding a resume

An evasive phishing email campaign used fake resumes to infect recipients with one of several malware payloads.

秋葵视频色鈥檚 cloud-based email security solution 秋葵视频色Protect first detected several waves of the campaign in March 2019. According to the samples it analyzed, an attack attempt began when a user received an email that appeared to be an unsolicited application for an unnamed job. The sender used the email to explain that they were interested in a position and had thus sent along their resume as an attached Microsoft Office document.

Sean Vogt, Associate Product Manager at 秋葵视频色, observed something unique about this attachment that helped the malicious Office documents avoid detection. As he explained to me in an email:

What鈥檚 interesting about this attack is that they password protected the Office files to circumvent sandboxing and other content scanning on the Office documents.聽Some engines can鈥檛 detect malicious payloads inside of password protected files at all, leaving administrators with an 鈥渁ll or nothing鈥 approach that either blocks all encrypted files of a specific type or lets them through and leaves it up to the endpoint to catch the malware.

The use of password-protected files allowed those behind this campaign to try to exploit the 鈥渉uman element.鈥 Assuming that the endpoint failed to spot the threat, a user could have used the password included in the message of the attack email to access the protected Office file. Doing so would have then loaded one of several malware families. These include the following:

  • IcedID: According to聽, IcedID is a banking trojan that first emerged in the wild in September 2017. At the time of discovery, the malware relied solely on Emotet for distribution in digital attacks targeting banks, payment card providers and similar organizations. But while the malware聽聽a close association with Emotet to this day, its operators have broadened IcedID鈥檚 capabilities. One such update came in April 2018 when聽聽observed the formation of a new distribution partnership between IcedID and Ursnif/Dreambot. Just a few months later,聽聽noticed taht the bad actors behind IcedID had forged a similar partnership with Trickbot.
  • Dridex: Back in 2015,聽聽and other security firms joined forces with international law enforcement to seize control of the Dridex botnet by poisoning each sub-botnet's P2P network and redirecting infected systems to a sinkhole. Though successful, this effort didn鈥檛 shut down Dridex for good. In the beginning of 2018,聽聽observed a new campaign in which a new variant of the banking malware appeared and began using compromised FTP websites for distribution. The security community has learned more about the threat鈥檚 creators and infrastructure since then, as well. Near the end of January 2018, for instance,聽聽uncovered a new ransomware family named 鈥淏itPaymer鈥 which the Slovakian security firm linked to Dridex鈥檚 authors. Almost a year later,聽聽observed that the makers of Dridex were using a loader that behaved similar to one used by the Ursnif and Emotet gangs.

As stated above, many security products can鈥檛 detect this evasive malware campaign due to its use of password-protected Office files. But this operation wasn鈥檛 able to sneak by every solution. 秋葵视频色Protect鈥檚 鈥淧attern Matching鈥 filter, for instance, allowed the solution to unlock the Office files and subsequently block their malicious content. Such is the efficacy of an email security tool that scans incoming mail based upon their URLs, patterns, IP addresses, known malware signatures and other indicators, thereby ensuring that everything suspicious is caught and everything benign is allowed through.

.