An evasive phishing email campaign used fake resumes to infect recipients with one of several malware payloads.
Zix’s cloud-based email security solution ZixProtect first detected several waves of the campaign in March 2019. According to the samples it analyzed, an attack attempt began when a user received an email that appeared to be an unsolicited application for an unnamed job. The sender used the email to explain that they were interested in a position and had thus sent along their resume as an attached Microsoft Office document.
Sean Vogt, Associate Product Manager at Zix, observed something unique about this attachment that helped the malicious Office documents avoid detection. As he explained to me in an email:
What’s interesting about this attack is that they password protected the Office files to circumvent sandboxing and other content scanning on the Office documents. Some engines can’t detect malicious payloads inside of password protected files at all, leaving administrators with an “all or nothing” approach that either blocks all encrypted files of a specific type or lets them through and leaves it up to the endpoint to catch the malware.
The use of password-protected files allowed those behind this campaign to try to exploit the “human element.” Assuming that the endpoint failed to spot the threat, a user could have used the password included in the message of the attack email to access the protected Office file. Doing so would have then loaded one of several malware families. These include the following:
- IcedID: According to IBM’s X-Force team, IcedID is a banking trojan that first emerged in the wild in September 2017. At the time of discovery, the malware relied solely on Emotet for distribution in digital attacks targeting banks, payment card providers and similar organizations. But while the malware still maintains a close association with Emotet to this day, its operators have broadened IcedID’s capabilities. One such update came in April 2018 when Cisco Talos observed the formation of a new distribution partnership between IcedID and Ursnif/Dreambot. Just a few months later, Fortinet noticed taht the bad actors behind IcedID had forged a similar partnership with Trickbot.
- Dridex: Back in 2015, Dell SecureWorks and other security firms joined forces with international law enforcement to seize control of the Dridex botnet by poisoning each sub-botnet's P2P network and redirecting infected systems to a sinkhole. Though successful, this effort didn’t shut down Dridex for good. In the beginning of 2018, Forcepoint Security Labs observed a new campaign in which a new variant of the banking malware appeared and began using compromised FTP websites for distribution. The security community has learned more about the threat’s creators and infrastructure since then, as well. Near the end of January 2018, for instance, ESET uncovered a new ransomware family named “BitPaymer” which the Slovakian security firm linked to Dridex’s authors. Almost a year later, Trend Micro observed that the makers of Dridex were using a loader that behaved similar to one used by the Ursnif and Emotet gangs.
As stated above, many security products can’t detect this evasive malware campaign due to its use of password-protected Office files. But this operation wasn’t able to sneak by every solution. ZixProtect’s “Pattern Matching” filter, for instance, allowed the solution to unlock the Office files and subsequently block their malicious content. Such is the efficacy of an email security tool that scans incoming mail based upon their URLs, patterns, IP addresses, known malware signatures and other indicators, thereby ensuring that everything suspicious is caught and everything benign is allowed through.
Stop evasive malware campaigns in their tracks with ZixProtect