Attackers Peddling Malware via CareerBuilder

Attackers have recently taken to the job searching website CareerBuilder to spread Microsoft Word documents that masquerade as job hopefuls’ resumes, but in reality, are laden with malware.

Attackers have recently taken to the job-search website CareerBuilder to spread Microsoft Word documents that appear to be job hopefuls’ resumes, but in reality, are laden with malware.

Researchers at the firm Proofpoint discovered the campaign and discussed their findings in a blog post. In the attack, which has since ceased, malicious Word documents with vague titles such as “resume.doc” and “cv.doc” were being attached to automated emails sent through CareerBuilder to employers. Attackers took the time to respond to legitimate job postings with the documents, which in turn were forwarded to the job’s poster.

Hiring managers, recruiters and other employees open the emails and download the attachments, which at least on the surface appear authentic. The files then go on to exploit a memory corruption vulnerability in Word RTF, a line of communication is forged between the command and control (C+C) server, and the infected machine downloads a payload. For the payload, the binary downloads a .zip file, which yields an image file, which drops a rootkit, Sheldor, onto the infected machine.

“The inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users,” Proofpoint’s research reads, “Instead of a new employee, the victim organizations welcome a dangerous piece of malware.”

Researchers point out the malicious Word documents were built with Microsoft Word Intruder, or MWI, a tool FireEye profiled early last month. The “builder” tool can be purchased for $2,000-$3,500 on underground forums and serves up CVE-weaponized docs. While technically marketed toward use in APT style attacks, it can also be used in spam campaigns.

Proofpoint claims CareerBuilder took “prompt action” to address the issue but the campaign is a handy reminder that Word Documents and .PDF files – on job search websites and in email attachments alike – remain an effective medium for attackers to parse out malware.

Researchers with Trusteer spotted attackers leveraging CareerBuilder’s site a few years back to propagate a variant of the Zeus Trojan.

Suggested articles


  • Karen Bannan on

    This shows how threats are truly coming from everywhere. The only way to thwart them is to have a multi-pronged security plan in place that takes everything into account. I read the FireEye blog ( and I thought this was especially scary and interesting. (It is located toward the end of the blog post.) "The data indicates that 597 users opened the malicious documents. However, only 180 of those successfully downloaded the malware payload. There were 182 “suspicious” connections. A total of 402 unique IP addresses beaconed to the MWISTAT servers." That's a LOT of risk and a lot of problems that IT folks had to deal with. Scary stuff. --KB Karen J. Bannan, commenting on behalf of IDG and FireEye.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.