A New Malware Campaign Targets HR Departments as the Unemployment Rates Rise

Hackers Targeting HR Departments

The coronavirus pandemic has affected everyone, and this apparently includes the cybercriminals. For example, in March, Check Point registered a 30% reduction in the number of malware attacks compared to January. It's a pretty significant decrease, but when you think about it, you'll see that it's not surprising at all. Businesses throughout the world were forced to close because of the pandemic, and the cybercriminals had fewer targets to aim their attacks at.

Now, however, the world is slowly coming back to its everyday life, and the same goes for the hackers. According to Check Point, in May, there was a 16% jump in the number of cyberattacks compared to April.

COVID-19 has not gone away, though, and not surprisingly, the hackers' attacks still revolve around it. Yesterday, Check Point's researchers wrote about a recent malware campaign that takes advantage of one of the pandemic's worst side effects.

Hackers mask malware as CVs

Unemployment rates throughout the world soared after the crisis began, and in places like the US, they reached unbelievable heights. As businesses reopen, they need to find workers, and they expect to see plenty of people looking for a job. This is exactly what the hackers are trying to take advantage of.

According to Check Point, the cybercriminals have set their sights on HR departments and are distributing malware by masking it as job seekers' CVs. As you might have guessed, the attack vector comes in the form of an email from a person who is reportedly looking for a job. The body of the message resembles a short cover letter, and as with all job applications, a CV is attached to the email. This is where the malware is hidden.

Malicious Excel documents and ISO archives distribute the Zloader malware

The emails US companies are receiving come with Excel files attached to them. Instead of a curriculum vitae, however, the user sees an empty spreadsheet when they open the file, and they're asked to "Enable Content" in order to view the document. If they do, the macro instructions download and install the malware. In the UK and Romania, the attachment is an ISO archive that extracts the final EXE payload.

The payload in question is the Zloader banking trojan. The malware has been around for years now, it's based on the infamous Zeus, and it's specializing in stealing passwords for bank accounts and financial institutions.

Can you spot the scam?

There are a few tell-tale signs of a phishing scam. CVs usually come as Word rather than Excel files, and seeing them in an archived format is even more unusual. The unsolicited communication itself should set off some alarm bells, and if the company hasn't announced any open positions, employees should be suspicious of any job applications that appear in their inboxes.

All that being said, the campaign is well-engineered, and it could catch more than a few people out. HR specialists handle CVs on a daily basis, and given the massive unemployment rates, the number of files that hit their inbox right now is probably huge, which means that the increased workload could result in costly mistakes.

In the end, whether or not the employees fall for the scam depends on how well they're educated and how aware they are of the danger. Because their work involves opening large numbers of documents every day, HR specialists are particularly vulnerable to such attacks, and companies should probably pay a bit more attention to their training.

June 5, 2020

Leave a Reply