Attackers have recently taken to the job-search website CareerBuilder to spread Microsoft Word documents that appear to be job hopefuls’ resumes, but in reality, are laden with malware.
Researchers at the firm Proofpoint discovered the campaign and discussed their findings in a blog post. In the attack, which has since ceased, malicious Word documents with vague titles such as “resume.doc” and “cv.doc” were being attached to automated emails sent through CareerBuilder to employers. Attackers took the time to respond to legitimate job postings with the documents, which in turn were forwarded to the job’s poster.
Hiring managers, recruiters and other employees open the emails and download the attachments, which at least on the surface appear authentic. The files then go on to exploit a memory corruption vulnerability in Word RTF, a line of communication is forged between the command and control (C+C) server, and the infected machine downloads a payload. For the payload, the binary downloads a .zip file, which yields an image file, which drops a rootkit, Sheldor, onto the infected machine.
“The inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users,” Proofpoint’s research reads, “Instead of a new employee, the victim organizations welcome a dangerous piece of malware.”
Researchers point out the malicious Word documents were built with Microsoft Word Intruder, or MWI, a tool FireEye profiled early last month. The “builder” tool can be purchased for $2,000-$3,500 on underground forums and serves up CVE-weaponized docs. While technically marketed toward use in APT style attacks, it can also be used in spam campaigns.
Proofpoint claims CareerBuilder took “prompt action” to address the issue but the campaign is a handy reminder that Word Documents and .PDF files – on job search websites and in email attachments alike – remain an effective medium for attackers to parse out malware.
Researchers with Trusteer spotted attackers leveraging CareerBuilder’s site a few years back to propagate a variant of the Zeus Trojan.