Threat Watch: Resume Files containing Advanced Persistent Threats

Posted by Lindsay Faria on Mar 14, 2017 8:59:32 AM

Find me on:

advanced threats.jpegAs cybercriminals become more duplicitous by the day, businesses and individuals alike need to be more aware than ever of their digital surroundings. One example of this was recently highlighted on the Barracuda blog: Resume files containing Advanced Persistent Threats (APTs).  

This threat counts on unsuspecting email recipients to open a .doc file supposedly containing a resume from a job applicant. From there, chaos ensues.

How the malicious resume file works

The malicious resumes are usually .doc files that contain a malicious macro. When the file is detonated, the macro immediately:

  • Downloads and executes a visual basic script
  • Imports external functions from the web and runs them
  • Spawns a shell
  • Connects to a remote server
  • Actively begins work to evade the computer’s built-in anti-virus

MSP phishing quiz

Once an account or an endpoint has been infected this way, a new threat will then be sent to a different account using the email of the original employee infected. Or, the malicious program will infect an account and track who in the company oversees wire transfers, invoices, and so forth. Then the attackers will use that information to launch a targeted spear phishing attack.

For full details on this, be sure to check out the original post.

MSPs' experience with malicious resume files

After seeing this post, I shared it with some of the MSP Partner contacts I was in touch with that week to put it on their radar and learn more about their experiences with this threat. Out of the small pool of 15 MSPs I reached out to,  27 percent of them told me they had customers that had been impacted by a ‘tricky’ resume.

One partner described a scenario where an HR manager opened a resume that he believed to be from a prospective job seeker. The document opened up blank. Shortly thereafter, his computer was affected by a CryptoLocker variant that encrypted his hard drive contents. Fortunately, the MSP was able to restore all documents and files from backup, but they had to complete a full system rebuild. It could have been worse, but this is something no company wants to spend their time working on.

Help customers avoid this threat

We suggest reaching out to your customers to remind them to be cognizant of this type of threat, and to remind them of a few key best practices, as the original post points out:

  • Do not click on any links in email. Type the address directly into your browser.
  • Do not open suspicious attachments, even if they seem to be from someone you trust.
  • Keep endpoint antivirus, patches, and other software updated.
  • Do not reveal sensitive personal or company information in email.
  • If you aren’t sure of whether an email is legitimate, verify by contacting the company or person directly on the phone, or through legitimate communications you have previously received from that company.

Subscribe to the Intronis blog

While it’s disheartening to hear that businesses are falling victim to attempts to infiltrate their organizations this way, I was encouraged to hear that several of the Partners with impacted customers were able to ultimately protect their data in most cases.

If you haven’t already, be sure to make sure your colleagues and customers are aware of this threat and that they are ready to defend themselves against it today!

Ransomware-ebook

Topics: Cyber Security

MSP Health Check
MSP Phishing Quiz
MSP Marketing Assessment
Intronis Local Lunches