Posted March 26, 2015

Malicious “Resume” from Sammy Fields, a Less than Ideal Candidate

– by Steven Weinstein

Compromising an organization via resume submissions couldn’t be more enticing from an attacker’s perspective.

As a small company where everyone works together quite closely, it’s definitely not uncommon for C-Level management to be reviewing potential job candidates’ resumes. It’s not even out of the ordinary to have a resume emailed directly to employees as opposed to through a careers portal. With our recent acquisition of CloudShield, we’ve gotten a lot of attention, and a lot of legitimate people looking to join a company on the rise.

Fortunately, we’ve got some pretty savvy senior managers, and when one received the same resume twice in one night from the same sender name (but different addresses), he immediately notified us of a potential issue. This incident was definitely unrelated to our acquisition of CloudShield, but the coincidental timing of it raises some interesting points.

I’ve always wondered why this attack vector isn’t more highly utilized by threat actors. Compromising an organization via resume submissions couldn’t be more enticing from an attacker’s perspective. By today’s standards, weaponizing a Word document or PDF file is trivial for attackers, and don’t even require newer exploits or zero days to be effective. In our case, heavily obfuscated JavaScript does the trick just fine.

Resumes are types of documents that it’s perfectly acceptable for an employee to open an attachment sent from a completely unknown source, and they are often forwarded around to numerous people within an organization. Not to mention, if hiring managers or HR personnel receive resumes and open them, the data that the attackers could have access to is frightening. Think about the data in your HR file – would you want that to be stolen or exposed?

Anyway, on to the good stuff:

Below are snippets from the headers of the two emails that were sent:
Subject: Resume Sammy Fields
Return-Path: <vickieco@ion.websitewelcome[.]com>
Received: from ion.websitewelcome[.]com (ion.websitewelcome[.]com. [])
X-PHP-Script:[.]tz/tamper.php for 192.185.83[.]95
From: Sammy <SammyFiel[email protected][.]fr>
Subject: Resume Sammy Fields
Return-Path: <vickieco@ion.websitewelcome[.]com>
Received: from ion.websitewelcome[.]com (ion.websitewelcome[.]com. [])
X-PHP-Script: Vickie[.]co[.]tz/tamper.php for 173.192.91[.]2
From: Sammy <[email protected][.]com>

Both emails contained an identical attachment, “Sammy Fields”, which downloads as “Sammy Fields Resume.js”, and has the following hashes (not currently on VirusTotal):

MD5: 1B984B7FEB52E3464B75A755113F6222
SHA1: 2E9A8716555DB163B10EF08B2E2C34598D740C18
SHA256: 867860EDD6DA726E6CF1148C110294B06FFA0C1ED900FE467769E4C3929E7D46

The JavaScript is heavily obfuscated, as can be seen in the screenshot below:


The deobfuscated JavaScript can be viewed below:


As can be seen from the last few lines of deobfuscated JavaScript, two “jpg” files (which are actually .NET executables) are downloaded to the system and renamed as 2865241.exe and 1246549.exe:



one.jpg - 2865241.exe
SHA1: 0BAFF8FFFE6F148F468BB016C28F87966FF761F5
SHA256: 3DEAB24EB0789B5CECCAAB959401F90B9DA6CBCFFDCA824C1600D3E76BDAE789
two.jpg - 1246549.exe
MD5: A689694221D86F0C992EA2AE67E6783E
SHA1: 5B548744F98BF902FBFEF50994DE5F98247F83D6
SHA256: 342B27712F796CE72986E83F050D68549A8B52E3C6C1206055C8AD51D4B5BE8A

The first piece of malware downloaded, one.jpg, is actually CryptoWall 3.0, and encrypts all files on the system of common file types. A decryption message like the below is displayed, instructing the user to pay a ransom in order to decrypt the files:



After obtaining the machine’s public IP address from making a GET request to ip-addr[.]es (188.165.164[.]184), this specific sample makes multiple POST requests similar to that below, to xn—3-6kca2cpvkm2c3c[.]com (91.206.30[.]144).


CryptoWall 3.0 is very well documented and its full analysis is beyond the scope of this blog post, but additional information on it can be found On Kafeine’s blog here:

The second sample of malware, two.jpg, is Fareit, which is an information stealer that attempts to harvest credentials from web browsers, email clients, or FTP clients. A deeper analysis of Fareit can be found here:

Our sample of Fareit POSTs data to the following locations: (112.78.7[.]162) (174.37.164[.]215) (174.37.164[.]215) (66.7.218[.]220) (195.242.99[.]145) (94.124.120[.]61)

The attackers also seem to be slightly modifying or rotating their payloads. The below SHA256 hashes have also been observed being served from the same URLs on davis1[.]ru:


These seem to be a continuation of malicious “resumes” sent out over the past few weeks, originally fetching the following payloads from hxxp://dorttlokolrt[.]com/images/one.jpg and hxxp://dorttlokolrt[.]com/images/two.jpg, initially observed on March 12, 2015:


While the combination of using CryptoWall 3.0 at the same time as a password stealer like Fareit seems to be new, it is not surprising that attackers are adding additional components to their attacks. Not only does it add a level of complexity for responders or victims, but it also provides the attackers additional means of reward, financial or otherwise.

As always, employees need to be extra cautious when opening attachments from unknown senders. Organizations may also want to consider basic awareness training for employees (especially those handling resumes) to teach them how to spot suspicious emails or attachments.

Additional Posts

LookingGlass Weekly Cyber Security Trends Report – March 31, 2015

Welcome to the Cyveillance Weekly Cyber Security Trends Report Since threat intelligence is ...

LookingGlas Weekly Cyber Security Trends Report – March 25, 2015

Welcome to the Cyveillance Weekly Cyber Security Trends Report Since threat intelligence is ...