Hackers are sending CVs with virus to HR employees to infect the company network

A group of cybersecurity specialists has revealed the discovery of multiple malicious files online posing as CVs; threat actors seek to attract victims and extract their bank details, such as card numbers, passwords, and more.

Researchers mention that these are malicious Microsoft Excel files that are sent by email, including subject lines such as “Job Search” or “In relation to employment”. If users open these files, a window will appear asking for “enable content”, triggering the download and installation of the ZLoader malware variant on the affected computer.  

This is a variant of banking malware designed to extract login credentials and other sensitive details from users from specific banking institutions. Using the stolen information, malicious hackers can connect to the victim’s system and perform unauthorized financial transactions from the banking user’s legitimate device.

The number of e-fraud complaints has increased considerably over the past three months, CheckPoint experts say; this behavior seems to be related to the millions of people who have been looking for employment online.

In addition to CVs, the operators of these campaigns have been sending purported malware-laden medical formularies to take advantage of the pandemic. These documents, with names like “COVID19 FLMA Center.doc” are sent to random users and are infected with the IcedID banking malware.

The goal of this malware is to trick users into entering their login credentials to a fake page as well as their authorization details that can be used to compromise their online accounts. These malicious files were emailed with the subject line “The following is a new Employee Application Form for licensing within the Family and Medical Leave Act (FMLA).” To lure victims to open these forms, the criminals sent them from different sender domains such as “medical-center.space”.

In this regard, data intelligence manager at Check Point Omer Dembinsky provided some additional details on how these criminal groups operate: “As unemployment by the economic crisis increases, cybercriminals begin to deploy much wider campaigns. They are using resumes to obtain valuable information, and are especially interested in extracting details related to money and banking. In the cybersecurity community we strongly ask any user to open an email with an attached resume to think twice.”