Malicious docs submitted to CareerBuilder job listings distribute malware

Researchers with security firm Proofpoint have identified a sneaky social engineering-style operation in which attackers are submitting weaponized Microsoft Word documents – in lieu of actual résumés – to job postings listed on the CareerBuilder website.

On CareerBuilder, employers that post job openings will receive an email notification when an applicant submits a résumé, and the résumé is included as an attachment in the notification, according to a Wednesday post.

In this operation, the attackers are submitting malicious documents that exploit a memory corruption vulnerability in Word RTF, the post indicated. The documents are crafted using Microsoft Word Intruder (MWI), an underground crime service used to build weaponized documents typically meant for delivering malware.

Proofpoint observed a low volume of malicious documents being submitted for engineering and finance positions – such as business analyst, web developer and middleware developer – at stores, energy companies, broadcast companies, credit unions and electrical suppliers, according to the post.

“The attacks appear to be financially motivated; attackers are attempting to gain access to critical systems at companies that have access to wire-transferrable cash reserves and/or large volumes of information that's of value on the black market,” Kevin Epstein, VP of Advanced Security & Governance with Proofpoint, told in a Thursday email correspondence.

Upon opening the malicious Word document, code embedded by the attackers stealthily causes two seemingly innocuous files to download – a decompression app and what appears to be an image. If the image is opened by the decompression app, malware known as Sheldor begins running, Epstein said, explaining that the “combined delivery approach” helps with concealment.

Sheldor – which is packaged with legitimate remote assistance app TeamViewer in order to further prevent detection – provides a backdoor into computers, Epstein said.

“Once Sheldor is on your computer, attackers can use your computer in the background, without your knowledge,” he said. “They will have the same file and network access as you do, and can even log your keystrokes, activate your webcam, use your microphone, and so forth.”

Modern targeted attack protection and threat response systems are a must for online services that accept documents from unknown individuals on the internet, as well as for organizations that accept inbound emails with attachments and URLs, Epstein said.

CareerBuilder did not return a request for comment.

UPDATE: A CareerBuilder spokesperson told on Thursday, “CareerBuilder follows Incident Response protocols, investigating the scope and type of attack with the help of third party experts kept under contract, and sharing information with affected customers. CareerBuilder has controls in place to stop mass distribution of applications to job postings and takes a variety of preventative measures.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.