A new threat has been identified and is being carried out by using phishing and social engineering techniques to sneak malware into several businesses.  Sites like Careerbuilder have reported malicious documents in Microsoft Word format titled “resume.doc” or “cv.doc.”

So how does this new attack work?

When a resume is submitted, sites like CareerBuilder automatically send a notification email to the company that posted the ad, along with the resume attached to it.

• When the end-user opens the email and attempts to view the attachment, the document exploits a known vulnerability in Word to place a malicious virus on the user’s system.

• The malware contacts a command and control server, which downloads and unzips an image file, which in turn drops a backdoor piece of malware dubbed “Sheldor” on the victim’s computer.

• The malware makes use of Microsoft Word Intruder (MWI) service and exploits a memory corruption vulnerability for Word Rich Text Format files.

• The payload is dropped on the victim’s computer once the attachment is opened. It is likely to slip past defenses, because it is concealed in an image (see below).

The document drops an executable that unzips this image file

 

The image in hex editor we can see the 7z signature 0x377A after end of JPEG

To summarize this attack, an attacker uploads a malicious MWI-built Word document to a job-search site, and the service emails the attachment to one or more end-users in the hiring organization. When the end-user opens the email and attempts to view the attachment, the document exploits a known Word vulnerability to place a malicious virus that downloads and unzips an image file, which in turn drops the Sheldor rootkit on the victim’s computer.

What can you do?

• Export the document contents to a web version and send secure link to the listing organization.
• Scan uploaded documents with a robust and frequently updated antivirus solution.

BACK TO BLOGS