Malware being sent in job applications

Malware being sent in job applications

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional. While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting Malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t. This practice of using rigged document files goes back to the early 2000’s where exploits for Microsoft’s document format existed even before Office 2000.

Let’s not forget when we could encoded Malware into a MIME header or .eml file and make IE/Outlook execute it… without even opening it. 🙂

These waves of Malware use obfuscation and “dropper” payloads to avoid detection. A dropper serves only to pull a payload, and a backdoor down for Botnet control. It rarely is detected as malicious because of its simple nature. The Antivirus products may continuously delete the Malware payloads, but as time passes with the dropper alive and well. The Malware creators are given the opportunity of changing the package and evading detection.

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

“Recently, more than $150,000 was stolen from a US business via unauthorized wire
transfer as a result of an e-mail the business received that contained malware. The
malware was embedded in an e-mail response to a job posting the business placed on
an employment website and allowed the attacker to obtain the online banking credentials
of the person who was authorized to conduct financial transactions within the company.
The malicious actor changed the account settings to allow the sending of wire transfers,
one to the Ukraine and two to domestic accounts. The malware was identified as a
Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan,
which is commonly used by cyber criminals to defraud US businesses.”

“Anyone who believes they have been a target this type of attack should immediately
contact their financial institutions and local FBI office, and promptly report it
to the IC3’s website at www.IC3.gov. The IC3’s
complaint database links complaints together to refer them to the appropriate law
enforcement agency for case consideration. The IC3 also uses complaint information
to identify emerging trends and patterns.”