Computer Security Threats

Posted by: Bob Bayn on Jun 8, 2015

Evil Resumes

Would your Internet Skepticism have protected you from this mischief?

Spamming hackers are sending vague inquiries about job or internship opportunities with a malware-bearing resume attachment.  Lately we've seen a standard message template with some synonym substitutions to help avoid spam blockers:

From: Varinia Godoy [NotVarinia@somewhereelse.ru]
Sent: Monday, June 08, 2015 4:32 AM
To: you
Subject: Openings?
Attachment:  My_Resume_3806.doc


[Hey there!|Hi there.|Hey.]
I
[noticed|saw|witnessed] your [website|business] today Tue, x Xxx 2015 and found it very [appealing|likeable|inviting].
I was
[hoping|praying] there was any possibility of internship [or unpaid trial period], just to prove my competence.

As you will see in my attached
[resume|CV], I am very qualified and have a very [broad|sweeping|large] experience in this type of work. I am very confident it will be worth your time [reading|reviewing] it, and I am even more [confident|positive] you will find me very [adequate|appropriate|suitable] in your [enterprise|company|corporation].

Please see my
[resume|CV|attached CV].
[I am|I'm] very much looking forward to hearing from you.
[With sincere thanks|Yours cordially|Thanks|Thank you for your assistance in this matter],

Varinia Godoy

Notice that the actual sender address is some hacked account that does not belong to the named sender.  Also, the message is very vague, giving no clue about what the expertise of the sender actually is or how it is relevant to the recipient.  After all, they are sending this to anybody, anyplace.  You are left to opening the Resume attachment if you want to find out anything about the sender.  And then, the Word Macro deploys a Trojan Downloader and they have you!

Submitting the attachment to VirusTotal.com shows this:

Notice that only 3 of the 57 Anti-virus engines used by VirusTotal actually found the malware in the document.  This must be a fairly new version of a Trojan or more AV engines would have recognized it.  [November update: about a dozen AV engines are recognizing the malware in the attachment now.]