Adam Robinson is a Security Engineer with Loop Technology who specialises in the deployment and management of Intel Security based solutions. He is also Loop’s Entrust SSL Certificate expert and he has a keen interest in analysing and unpacking malware. If you have a question for Adam, please email firstname.lastname@example.org.
Not all email-based attacks appear to come from sellers of miracle weight loss drugs, shipping companies reminding you of a delivery or rich royals trying to escape Nigeria - Some look like individuals looking for a job. Without the social commentary, most of us know someone looking for a job, and most of this is done digitally with possible exceptions for the Retail and Hospitality industries.
A sample of the attack HTML file looks like this:
When the recipient tries to open the file, the browser would try to load the url in the IFRAME tag. In this case, the iFrame calls to a compromised web server or a web server built with malicious intent.
In this case, the URL loads yet another HTML file, which has a redirect link pointing to a Google Docs link.
The redirect uses a meta refresh tag, which is typically used to update the content of a Web page in real time.
Google Docs link downloads another zip file called my_resume.zip, and it contains a file with a name like my_resume_pdf_id_8412-7311.scr
The .scr suffix is basically just an executable file for Windows. The .scr extension is supposed to be associated with screensavers, but is frequently used to deliver malware to unsuspecting users. When the victim opens the .scr file, that triggers the ransomware. Then the crypto game begins.
If you are unsure, delete the resume. A job seeker would be much more likely to send a resume as a document rather than a zip.
If you are concerned about Cryptolocker and would like to talk about options to address this challenge feel free to contact us.
Stay safe out there.