Fake Resumes Inject Malware
Employers who receive an email from someone pretending to be looking for a job to be a job could fall victim to a hard to detect phishing attack that injects remote-access tools. Researchers with Cofense have recently spotted emails with malicious attachments delivering the Quasar open-source malware. While the phishing theme may be common, this particular campaign uses several sophisticated tactics that make it harder detect. Organizations have a higher degree of difficulty with the .doc file attachment distributing Quasar RAT because the document uses measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros.
The phishing emails are from fake job applicants with the message, "Hello, I saw your website and I'm interested in a position. Please see my attached resume." The message is intended for hiring managers or someone from the HR department, then points to an attached Microsoft Word doc "resume." The attachment, titled 0.doc, delivers malware and uses several counter-detection measures.
The phishing attachment uses a built-in, Microsoft password protection technique, and tricks victims into bypassing the typical security warning pop-ups. By making the attachment password-protected, the hacker hopes to be able to bypass automated security systems. They're not able to open and scan the attachment due to the inability to read and insert the password. The phishing message prompts victims to enter a password, 123, to view the document. The password prompt is made so automated system that processes attachments separately from emails.
Once it has been clicked, a message appears that it's a Protected Document, which urges users to click on Enable Content, next to the warning bar that states that macros have been disabled. In another attempt to evade detection, the attachment contains more than 1,200 lines of garbage code that appears to be base64-encoded, meaning if researchers attempt to decode it to analyze the document, it will crash due to the magnitude of decoding required. Finally, even if researchers attempt to decode the strings, the resulting content still lacks the URL, and partial strings and filler text give it some legitimacy. Portions of the payload URL, as well as additional information, are actually hidden as meta-data for images and objects that were embedded in the document.
The Quasar RAT, is a publicly available, open-source RAT and can be found on GitHub. It is being used maliciously by hackers to facilitate network exploitation. , It has the ability to steal passwords, log keystrokes, take screenshots and record webcam footage. Since the tool is easily accessible, linking the attacks to a specific hacker or hacking group is difficult.