A campaign is found using malicious files posed as resumes, sent as a job application. The researchers dubbed the campaign “The Curious Case of the Criminal Curriculum Vitae”. The campaign is attributed to a known cybercriminal organization TA505, also known as “Evil Corp.” One of the most infamous campaigns associated with this organization was the necurs botnet, which was recently overtaken by Microsoft.
In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization worldwide. Once the email attachment was activated, a company’s secure credentials and credit card data could be transmitted covertly to the threat actors. The group TA505 is known to use commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company’s network to encrypt files. They are also capable of fetching an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enables a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software. Below information of a target is sent to the C2.
The threat actor controlled C2 is located at URI hxxp://194.36.189[.]215/firstga990.php.