Register now for better personalized quote!

My Resume Protects All Your Files

Jun, 05, 2015 Hi-network.com

This post was authored byNick Biasini

Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.  Spammers are always evolving to get their messages to the end users by bypassing SPAM filters while still appearing convincing enough to get a user to complete the actions required to infect the system. The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today. Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.

Email Details

The use of resume based SPAM isn't anything new.  An analysis of our telemetry has found countless messages in the last 30 days related to Resumes. Threat actors have tried many different techniques associated with these messages including using password protected zip files, word documents with embedded macros, and malicious URLs redirecting back to a malicious sample. This threat combined a series of techniques to try and avoid detection that has been surprisingly successful against some products. Below is a sample of one of the emails that we saw in our telemetry.

Sample Email

The concept for the email is simple enough with an attached zip file that contains a resume. One interesting thing is that the threat actor made it look like a reply to an existing email and not something that was sent unsolicited. Also, note the filesize this is only a 276 byte zip file. Inside that zip file is an HTML file that will look something similar to resume4522.html. Below are the contents of the HTML file:

<html>
<head>
</head>
<body>
<iframe src="http://<redacted>/cgi/resume2.php?id=726

tag-icon Hot Tags : Cisco Talos Talos Threat Research spam Cryptowall

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.