Fake resumes are being used in a phishing campaign targeting HR departments which delivers Word documents containing a malicious macro that downloads the Quasar Remote Access Trojan (RAT), according to Cofense researchers.
The Quasar RAT is an open source malware available on GitHub. The malware is used by many APT groups for espionage, network exploitation, logging keystrokes, stealing passwords, recording webcam footage, and taking screenshots.
The use of fake resumes to deliver malware is nothing new. It is a popular lure to get HR departments to install malware, but this campaign differs due to the lengths the attackers have gone to hide the malware and prevent analysis by security researchers.
The intercepted email included the text, “Hello, I saw your website and I’m interested in a position. Please see my attached resume.” The attached Word file is called 0.doc, which is password protected and requires the user to enter the password ‘123’ to open the document.
Opening and analyzing the file would reveal no malicious actions unless the password is supplied, but many automated security solutions would not determine that a password was required to open the document, nor would they be able to tell what the password is as analyze the content of messages and attached files separately.
If the password is entered and the document opened, another level of obfuscation comes into play. The macro contains around 1,200 lines of garbage code. If an attempt is made to analyze the macro for malicious actions, the script would likely crash because too much memory would be required. Cofense researchers found the payload URL hidden in meta-data for the embedded images and objects to further hamper attempts to analyze the attachment for malicious code.
The malicious payload is downloaded as a Microsoft Self-Extracting executable, which unpacks the RAT binary. The binary is 401MB, which prevents users from submitting files to VirusTotal via email and API, thus hampering efforts to share the file for analysis.