Proofpoint threat researchers recently detected a clever email-based attack that combines phishing and social engineering techniques in order to trick users into opening a malicious document. In this attack, the actor browses open positions listed on CareerBuilder.com, a popular online job search and recruiting service, and attaches resumes to job postings as malicious documents in Microsoft Word format. In this specific case, we observed the actor attach a Word document named “resume.doc,” or “cv.doc.”
When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware. While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher. Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient. (Fig. 1) Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.
Figure 1: Phishing email containing malicious attachment
In this campaign, Proofpoint detected seemingly indiscriminate, low-volume (less than ten emails) documents targeting of stores, energy companies, broadcast companies, credit unions, and electrical suppliers. The actor appeared to target positions in engineering and finance, such as “business analyst,” “web developer,” and “middleware developer”: the skills listed for these positions can reveal valuable information about the tools and software that is running in the target organization and thus enable the actor to tailor their attack.
Instead of following the recent trend of using macro-based malware of Office document attachments, the attachment is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF (such as CVE-2014-1761, CVE-2012-0158, and others). MWI is an underground crime service – already well documented – that builds CVE-weaponized dropper or downloader documents for any malware. A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.
Upon successfully executing the exploit, the attachment opens a connection to a command and control (C2) server in order to download the payload executable. (Fig. 2) Two HTTP requests are performed: the first on document load, and the second returning the binary. This protocol is detected by Proofpoint Emerging Threats signature 2020700.
Figure 2: Successful exploitation leads to download of payload.
Dropper: Extracts Image/Archive
The executable delivered by the document (MD5: 025b5440af28a86fd793b3e9df994cd5) contains and extracts the actual payload. Bundled into the dropper is a recent version of 7-Zip utility (MD5: b41886a0207245a4c7179671c6b0e6e5) and a concatenated image/archive file. (Fig. 3)
Figure 3: The document drops an executable that unzips this image file
Figure 4: Viewing the image in hex editor we can see the 7z signature 0x377A after end of JPEG 0xFFD9
Thanks to a 7-Zip bug that similar to one – reported for ZIP archives – that creates or unzips a concatenated image/archive file that is both a valid JPEG and a 7-Zip archive, web browsers and file browsers render the file as if it were an image, but 7-Zip utility skips over the image data, finds and extracts the compressed archive, which then dumps all the payload binaries out to disk (Figs. 5-6).
Figure 5: Dropper extracting the contents of image/archive file using 7-Zip into Application Data folder
Figure 6: Contents of the 7-Zip archive within the image/archive file
The advantages of this subterfuge are twofold: on the one hand, many automated detection systems (such as IDS and sandboxes) that monitor web and email traffic for malware are likely to ignore images, thus enabling this malware to sneak past existing automated defenses. Similarly, humans are vulnerable to the same bias: even a security specialist responding to a potential incident is likely to look past any images as being irrelevant to the incident that and not suspect that this image file is in fact hiding the malware they are trying to find.
Extracting the contents of the image/archive file drops a Sheldor backdoor, which bundles in a TeamViewer application. TeamViewer is a cloud service in which both the client and the server initiate a connection to an endpoint in the cloud; only after doing so do they then establish a connection to each other. This technique helps bypass NAT restrictions and adds a level of anonymity. (Figs. 7-8)
Figure 7: Sheldor connecting to C2
Figure 8: Sheldor C2 server
To summarize this attack: an attacker uploads a malicious MWI-built Word document to a job-search site (in this case, CareerBuilder), and the service emails the attachment to one or more end-users in the hiring organization. When the end-user opens the email and attempts to view the attachment, the document exploits a known Word vulnerability to place a malicious binary that downloads and unzips an image file, which in turn drops the Sheldor rootkit on the victim’s computer.
This inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users. Instead of a new employee, the victim organizations welcome a dangerous piece of malware. Moreover, it is important to note that job search services are themselves also victims in this attack because they are being exploited to deliver malicious attachments that bypass organizations’ existing defenses and even user training.
Impact and Recommendations
Proofpoint contacted CareerBuilder to alert them to this threat, and they took prompt action to address the issue. All job search websites may certainly be susceptible and aware to the same issue of being used as a proxy for delivering malicious attachments.
Owners of career websites that accept resumes in any format, whether PDF or Microsoft Word should always assume the content may be malicious and perform scanning prior to forwarding them to any customer. Some approaches to consider include:
- Hashing the uploaded document and checking it against VirusTotal via their public API
- Scanning uploaded documents with a robust and frequently updated antivirus solution. While it is relatively trivial to create malware variants that can evade antivirus detection for 2-3 days after they are launched, this remains nonetheless an important measure for detecting the millions of known variants.
- Sandbox scanning solutions that can scan files at rest on a server via API, for more advanced malware that can evade antivirus detection. (This is a separate category from solutions designed to scan files and URLs in transit, such as in email.)
In addition, career service websites that accept document resumes could also consider the following strategic changes:
- Export the document contents to a Web version and send secure link to the listing organization.
- Change the form of document by converting to an image or a new PDF before sending it to the listing organization. The option has its own potential limitations, because PDFs have security issues of their own, and listing organizations normally expect to receive resumes in Word or PDF format, not as images.
Accepting and delivering Microsoft Word or PDF documents is a common practice, and whether resumes are received directly from job applicants or indirectly via a job search service, organizations and end users should exercise caution when opening and circulating these documents. All organizations should consider deploying an advanced threat solution that includes sandboxing and other dynamic malware analysis techniques to detect and block malicious attachments in email.
In new The Human Factor, we described how attackers – as part of an overall shift to targeting businesses – adjusted the strategy of their URL-based campaigns to rely on piggybacking on web marketing emails (such as newsletters and opt-in marketing) with links to legitimate sites that have been compromised in order to deliver malware to end-users who click on the link in their message. High-volume unsolicited email campaigns instead use attachments more often than URLs to deliver their malware, with a particular emphasis on malicious Office documents. This clever attack demonstrated techniques similar to those now used for URL-based campaigns, but this time to deliver malicious attachments, and exemplifies the practice of piggybacking on legitimate email services and sites in order to trick wary end-users and compromise targeted businesses.