Posted March 26, 2015

Malicious “Resume” from Sammy Fields, a Less than Ideal Candidate

– by Steven Weinstein

Compromising an organization via resume submissions couldn’t be more enticing from an attacker’s perspective.

As a small company where everyone works together quite closely, it’s definitely not uncommon for C-Level management to be reviewing potential job candidates’ resumes. It’s not even out of the ordinary to have a resume emailed directly to employees as opposed to through a careers portal. With our recent acquisition of CloudShield, we’ve gotten a lot of attention, and a lot of legitimate people looking to join a company on the rise.

Fortunately, we’ve got some pretty savvy senior managers, and when one received the same resume twice in one night from the same sender name (but different addresses), he immediately notified us of a potential issue. This incident was definitely unrelated to our acquisition of CloudShield, but the coincidental timing of it raises some interesting points.

I’ve always wondered why this attack vector isn’t more highly utilized by threat actors. Compromising an organization via resume submissions couldn’t be more enticing from an attacker’s perspective. By today’s standards, weaponizing a Word document or PDF file is trivial for attackers, and don’t even require newer exploits or zero days to be effective. In our case, heavily obfuscated JavaScript does the trick just fine.

Resumes are types of documents that it’s perfectly acceptable for an employee to open an attachment sent from a completely unknown source, and they are often forwarded around to numerous people within an organization. Not to mention, if hiring managers or HR personnel receive resumes and open them, the data that the attackers could have access to is frightening. Think about the data in your HR file – would you want that to be stolen or exposed?

Anyway, on to the good stuff:

Below are snippets from the headers of the two emails that were sent:
Subject: Resume Sammy Fields
Return-Path: <vickieco@ion.websitewelcome[.]com>
Received: from ion.websitewelcome[.]com (ion.websitewelcome[.]com. [192.185.179.135])
X-PHP-Script: vickie.co[.]tz/tamper.php for 192.185.83[.]95
From: Sammy <[email protected][.]fr>
Subject: Resume Sammy Fields
Return-Path: <vickieco@ion.websitewelcome[.]com>
Received: from ion.websitewelcome[.]com (ion.websitewelcome[.]com. [192.185.179.135])
X-PHP-Script: Vickie[.]co[.]tz/tamper.php for 173.192.91[.]2
From: Sammy <[email protected][.]com>

Both emails contained an identical attachment, “Sammy Fields Resume.zip”, which downloads as “Sammy Fields Resume.js”, and has the following hashes (not currently on VirusTotal):

MD5: 1B984B7FEB52E3464B75A755113F6222
SHA1: 2E9A8716555DB163B10EF08B2E2C34598D740C18
SHA256: 867860EDD6DA726E6CF1148C110294B06FFA0C1ED900FE467769E4C3929E7D46

The JavaScript is heavily obfuscated, as can be seen in the screenshot below:

resume_figure1-300x168

The deobfuscated JavaScript can be viewed below:

resume_figure2-300x92

As can be seen from the last few lines of deobfuscated JavaScript, two “jpg” files (which are actually .NET executables) are downloaded to the system and renamed as 2865241.exe and 1246549.exe:

resume_figure3-300x139

resume_figure4-300x129

one.jpg - 2865241.exe
MD5: DEEC2A79F1CFBDC8DCED0F68EC908A28
SHA1: 0BAFF8FFFE6F148F468BB016C28F87966FF761F5
SHA256: 3DEAB24EB0789B5CECCAAB959401F90B9DA6CBCFFDCA824C1600D3E76BDAE789
https://www.virustotal.com/en/file/3deab24eb0789b5ceccaab959401f90b9da6cbcffdca824c1600d3e76bdae789/analysis/
two.jpg - 1246549.exe
MD5: A689694221D86F0C992EA2AE67E6783E
SHA1: 5B548744F98BF902FBFEF50994DE5F98247F83D6
SHA256: 342B27712F796CE72986E83F050D68549A8B52E3C6C1206055C8AD51D4B5BE8A
https://www.virustotal.com/en/file/342b27712f796ce72986e83f050d68549a8b52e3c6c1206055c8ad51d4b5be8a/analysis/

The first piece of malwareMalware: Software that is intended to damage or disable computers and computer systems. downloaded, one.jpg, is actually CryptoWall 3.0, and encrypts all files on the system of common file types. A decryption message like the below is displayed, instructing the user to pay a ransom in order to decrypt the files:

resume_figure5-300x226

resume_figure6-300x248

After obtaining the machine’s public IP address from making a GET request to ip-addr[.]es (188.165.164[.]184), this specific sample makes multiple POST requests similar to that below, to xn—3-6kca2cpvkm2c3c[.]com (91.206.30[.]144).

resume_figure7-300x84

CryptoWall 3.0 is very well documented and its full analysis is beyond the scope of this blog post, but additional information on it can be found On Kafeine’s blog here: http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

The second sample of malware, two.jpg, is Fareit, which is an information stealer that attempts to harvest credentials from web browsers, email clients, or FTP clients. A deeper analysis of Fareit can be found here: http://blog.malwaremustdie.org/2013/01/cridex-fareit-infection-analysis.html

Our sample of Fareit POSTs data to the following locations:

ocvitcamap.com/administrator/lib/cheapoakley.php (112.78.7[.]162)
spark-leds.com/upload/images/images.php (174.37.164[.]215)
sapacmold.com/img/t/t.php (174.37.164[.]215)
ubikate.mx/wp-includes/images/images.php (66.7.218[.]220)
ebouw.nl/wp-includes/pomo/pomo.php (195.242.99[.]145)
getserved.nl/wp-content/themes/themes.php (94.124.120[.]61)

The attackers also seem to be slightly modifying or rotating their payloads. The below SHA256 hashes have also been observed being served from the same URLs on davis1[.]ru:

B0C4C704C6AF22B53886F57D6A7C8CA78047EDCE85568240E80B2D49361EC9C5
0A98822E9845A0E92F5583128B654ED1F2F0351CA5904884DDA40F4FD64DD711
9D87F2A59D44DEDF4D30C02D89D3FF7BA6E54FCC60B1DCBCF86B7ABDAEB3A72C
7EB6B2A7023300666ACD2778FCFB450A9FBE2572F4F5E80A665A3FB17A2C1620
4201AF6AE181CC3698C5D164384F5CCC7B9E5C14E320C4AEA250696513DAB420
53FF37B0FBFFA0C2656F09F8EA90322158E40B3C5318DD670EEF3AC9D72B9FB3
64646BA704304228322BE2DDF4AFD8D50B522B8FA8E7F9F3CA6FE765D2816E25

These seem to be a continuation of malicious “resumes” sent out over the past few weeks, originally fetching the following payloads from hxxp://dorttlokolrt[.]com/images/one.jpg and hxxp://dorttlokolrt[.]com/images/two.jpg, initially observed on March 12, 2015:

73B6749E2261501C5E0D27D0ECC178F4FB8995E2751EA8135ACF7E0D1A20A8CB
7EFE8F9DC42A66057323990B10C8710BDC15CA0958CFDAE132D05393D41BDC03
D6994AA369A03DC2193F3FADEC0F63EC3AEAFD51904E6A74261CAE58896351EB
2C4590F6BA22EC6925AC8CE326A44A76BFEF6F9B8BC2D8C22FA784561B4C1621
662122DACFA61D8F2580FC97DFD8B0C89D319BDBAB2B0275C4DCF638E71301C2
CBBEEBE03EBD38A1213DD6B0773524F8A878E59E92CBD2578BCD6089BDEDA902
6C1BB50D9FF296EBAB9B02A9CF05E9C578EB1610E1A099962BA49F33303BF28C
E42CBE3DC38865F45929A1EB6B100B62F4F1AF9C01B980A92E5EFF72106DE635
2961C72984A2568DE28A9DDD9FC43F31BA0754D3EE6B500E9D563A2A4E7410B0

While the combination of using CryptoWall 3.0 at the same time as a password stealer like Fareit seems to be new, it is not surprising that attackers are adding additional components to their attacks. Not only does it add a level of complexity for responders or victims, but it also provides the attackers additional means of reward, financial or otherwise.

As always, employees need to be extra cautious when opening attachments from unknown senders. Organizations may also want to consider basic awareness training for employees (especially those handling resumes) to teach them how to spot suspicious emails or attachments.

Additional Posts

LookingGlass Weekly Cyber Security Trends Report – March 31, 2015

Welcome to the Cyveillance Weekly Cyber Security Trends Report Since threat intelligence is ...

LookingGlas Weekly Cyber Security Trends Report – March 25, 2015

Welcome to the Cyveillance Weekly Cyber Security Trends Report Since threat intelligence is ...