Given a buzzing job market that’s continued heating up, hackers have found a clever vector for malware: résumés.
The stealthy, AV-evading attack, reported by the Ontario, Canada-based managed detection and response provider eSentire, takes advantage of an expected arrival for HR and highlights the importance of awareness training for those handling résumés and CVs.
Members of eSentire’s Threat Response Unit (TRU) team detected and shut down four recent attacks involving malware-serving résumés, including three incidents at the end of March 2022. The attackers targeted a US-based aerospace/defence company that makes and repairs airline components; a large UK-based CPA firm; an international business law firm based in Canada; and a national Canadian staffing agency, according to eSentire.
The malicious résumés contain the evasive, nothing-to-do-with-Easter “more_eggs” software, designed to steal usernames and passwords for IT admin accounts, email addresses, and corporate banks, according to the report from eSentire.
How it works: A malicious attachment will invite the reader to a personal, résumé-serving branding page. The unsuspecting résumé reader then downloads a poisoned LNK – a shortcut file, similar to a desktop icon, that automates program execution.
The name of the PDF attachment may include a person’s name, a realistic job title, and the word “résumé,” but the recipient won’t see a résumé, said Keegan Keplinger, a member of the TRU team.
“It’ll look like it’s broken, essentially, to a user that doesn’t recognize they’re clicking a link,” Keplinger, eSentire research and reporting lead at eSentire told IT Brew.
The program is executed after the poisoned “VenomLink” is downloaded: a collection of intrusion malware detonated by TerraLoader. TerraLoader installs several module options for an attacker looking to disrupt a victim’s IT network: credential theft, lateral movement, and file encryption, to name a few.
TerraLoader sets up a variety of malware-as-a-service modules like TerraStealer, which exfiltrate sensitive data. Other parts of the malware package include TerraTV, a program that allows threat actors to hijack the remote-support tool TeamViewer, and TerraCrypt, a ransomware plugin, per the entire report.
A Compromise of an Expected Attachment
The malware is an especially challenging threat amid the Great Resignation, when HR teams are being inundated with resumes on the regular.
“This is an expected communication. It’s something that [employers] are expecting to receive in the form of a résumé,” said Craig Dickinson, client success services director at the infosec cooperative SANS Institute. Dickinson works with clients on advisory services, particularly around threat vectors like phishing and security awareness training.
“There’s an element of trust there with regards to the résumé,” Dickinson told IT Brew.
The spear-phishing campaign is an effective one, said Erich Kron, a security awareness advocate at security awareness platform KnowBe4, because HR staff are working fast.
“They’re busy doing their thing, they’re reviewing résumés, they don’t think twice about, ‘Oh, this one has an attachment,’” said Kron.
To make the attack even trickier for hiring staff: The name of the attachment often features the name of the position that the employer is seeking to fill.
“If they’re looking for an accountant, it’ll load ‘accountant’ under that person’s name.“If they’re looking for a director, it’ll put ‘director’ under that person’s name.” said Keplinger.
“The personalization is likely occurring when the attacker submits the PDF to the recruiting site. That’s when the attacker has the opportunity to see the job position and put the right words in,” Keplinger told IT Brew in a follow-up email.
The attack is a reversal of a more_eggs incident spotted a year ago by eSentire, and detailed in a 2021 blog post by the company.
That time, rather than posing as hopeful job candidates, the threat actors, targeted job seekers, disguising offers to LinkedIn users. When the targets opened a zip file, it led to the installation of more_eggs.
What IT Teams Can Do
Corporations should protect their HR departments by deploying the usual email-inspection technology and flagging or deleting emails containing an infected attachment, said Dickinson. Another strong defence, according to the SANS Institute expert, is to create a central hiring portal—one that implements strong security controls.
“The application process should rely on…a candidate going in and filling out a formal application process that only grants text-based submissions,” Dickinson told IT, Brew.
And a general rule that Dickinson emphasizes with clients: Never open any documents that require any type of customized commands, known as macros. If you get a message that asks “Do you want to enable active content?” everyone on the HR staff should know the answer.
“Macros are bad. Period,” said Dickinson.
HR teams should try to only accept documents in a form that does not enable macros, added Kron, like “docx.”
The more_eggs malware is especially evasive because it uses signed, trusted Windows processes called LOLBins, or living off the land binaries, to send malicious code. More_eggs abuses the signed windows binary of ie4uinit.exe, but antivirus software won’t necessarily catch that.
“The antivirus is just seeing a legitimate Windows process firing,” said Keplinger, who watched LOLBins to discover the attack. “It’s going to be hard to detect unless you’re doing some kind of LOLBin monitoring. You have to have a really good employee awareness, and a reporting system for that.”
Employee awareness is an essential strategy to protect against this type of phishing attack, according to several experts.
“So, and oftentimes, applicants have to go through HR software, right, or recruiting software to submit and upload their resume,” said Jess Burn, senior analyst at Forrester. “So if you’re getting something directly, and you’re not expecting it, that, you know, in and of itself should give you pause, as a hiring manager.”
Dickinson recommends identifying the employees most at-risk of opening bad résuméss and starting tracking new social-engineering threats and placing them in a centralized location, like a SharePoint repository.
“All employees at every level across the organization should receive components or elements of security awareness training, to ensure that they have the skills required to identify an attack,” said Dickinson.
Or to put it another way:
“Technology alone cannot protect you.”