A security firm has identified a new malware campaign on Careerbuilder.com, a popular job search website, in which attackers are using phishing and social engineering techniques in order to trick users into opening malicious documents.
In a post published on its security blog, Proofpoint explains that attackers are posting malicious documents in the Microsoft Word format to open positions on Careerbuilder.com. These documents, which often carry the names “resume.doc” or “cv.doc,” exploit a feature of the job search site where employers receive a notification every time an applicant posts a document to their advertised position.
“While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher,” observes Proofpoint’s researchers.
The post goes on to explain that the malicious documents do not follow the trend of using macro-based malware and instead exploit a memory corruption vulnerability for Word RTF. These include CVE-2014-1761, CVE-2012-0158, and others.
Each document is built using Microsoft Word Intruder, an underground crime service that builds droppers and downloadable documents for malware.
Upon successful exploitation, the attachment contacts a command and control server, which downloads the payload executable. This executable includes a 7-Zip utility and a concatenated image, the latter of which drops a Sheldor backdoor.
“This clever attack demonstrate[s] techniques similar to those now used for URL-based campaigns, but this time to deliver malicious attachments, and exemplifies the practice of piggybacking on legitimate email services and sites in order to trick wary end-users and compromise targeted businesses,” the Proofpoint post concludes.
Attackers have used CareerBuilder.com for malicious purposes before. In March of 2014, security researchers discovered a new variant of the Gameover Zeus Trojan that attempted to steal the CareerBuilder.com login credentials of recruiters and employers.
For this phishing campaign, attackers used injectable web forms that prompted users to answer a number of security questions. The attackers could then use the victims’ answers to bypass identity verification measures.
In response to these and other attacks, Proofpoint recommends that all organizations consider deploying an advanced threat solution that includes sandboxing and other dynamic malware analysis techniques in order to detect and block malicious attachments in email.