Some cyberattacks involve sophisticated malware and meticulous planning to pull off, while others, just a lot of smarts. Email security firm Proofpoint reported one attack Thursday that falls into the latter category: they describe it as a “clever email-based attack” involving the use of phishing and social engineering techniques to sneak malware into several businesses.
Basically, the modus operandi involves the threat actor simply browsing through open job positions on CareerBuilder’s online job search website and responding to some of them with a malicious document in Microsoft Word format titled “resume.doc” or “cv.doc.”
When a resume is submitted, CareerBuilder automatically sends a notification email to the company that posted the ad, along with the resume attached to it.
In this particular case, when the end-user opens the email and attempts to view the attachment, the document exploits a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips a image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer, Proofpoint said in a blog post describing the attack.
The attack is manual and requires some time and effort compared to the automated malware tools out there. But what makes it effective is the fact that there is a much higher likelihood that emails containing the malicious attachments will be opened by those who receive it, Proofpoint said.
“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the company said. And because of how resumes are typically circulated within an organization, there is a good chance the malicious attachment will be sent to hiring managers, interviewers, and other stakeholders within the company that posed the ad, the researchers said. “Taking advantage of this dynamic enables the attackers to move laterally through their target organization."
The attack campaign that Proofpoint discovered appeared fairly indiscriminate and included as its targets several retail stores, energy companies, broadcast companies, credit unions, and electrical supply firms. The attackers seemed to focus on job positions in engineering and finance with titles such as “web developer” “business analyst,” and “middleware developer.”
Interestingly, the requirements listed in ads for such positions can reveal a lot about an organization’s technology infrastructure and actually help the perpetrator tailor attacks more effectively, Proofpoint said.
The email security vendor described the malware itself as using the Microsoft Word Intruder (MWI) service and exploiting a memory corruption vulnerability for Word Rich Text Format files. MWI is an exploit kit that provides among other things, a dropper for different types of malware tools.
The CareerBuilder campaign “has a simple elegance and brilliance that I can appreciate as a security professional,” said Brett Fernicola, chief information security officer at STEALTHbits Technologies. “You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not,” he says.
In this particular incident, the actual payload that is dropped on the victim’s computer once the attachment is opened, is likely to slip past defenses, because it is concealed in an image.
“Many automated detection systems (such as IDS and sandboxes) that monitor web and email traffic for malware are likely to ignore images,” Proofpoint said. Similarly, humans are vulnerable to the same bias and are unlikely to suspect that the image file contains the malware they are trying to find.
Phishing continues to be a top attack vector simply because it is so effective, says Ken Westin, senior security analyst at Tripwire. “Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites [appearing] to be associated with the brand,” he said.