Symantec cybersecurity experts: The malware deployment is preceded by a reconnaissance with the AdFind tool. The victims are large organizations.
There is a malspam campaign in progress for the diffusion of a variant of the Hermes ransomware, disguised as a curriculum (CV). The targets are above all companies
There is a ransomware in circulation, disguised as a curriculum (CV), which targets companies. It was discovered by an independent cyber security researcher, who detected a malicious email campaign, with attached malicious Microsoft Word documents. These, if opened, download the Hermes ransomware onto the victim’s computer. The cybercriminals who are spreading the malspam campaign are playing on numbers rather than on the complexity of the malware to make money through the ransom. Which of course must be paid in cryptocurrency. In fact, it is not particularly sophisticated. So much so that the ability of its detection by the most widespread antivirus is quite high, while the malicious Word file with downloader function is only currently recognized by five. The malware has, moreover, already been used by the cybercrime at the beginning of 2018 in attacks aimed at South Korean targets, through the exploitation of an Adobe Flash zero-day vulnerability.
How the cyber campaign works to spread malware using the CV lures
The malspam campaign against companies is simple. As the Internet Storm Center website reports, malicious emails come from addresses belonging to the anjanabro.com domain and contain a password-protected Word document as an attachment. The text of the message seems to come from a job seeker and the attachment should contain his curriculum. As many people every day send their CV to organizations, the lure is really effective. Once the file is downloaded and opened, a password is required to unlock it. This very trivial (“321”) and it’s included in the text of the Email. After its insertion, there is an invite to activate the macros. If this happens, the malicious code inside the document connects to a remote server and downloads a malicious executable on the victim’s computer called “green.exe”, a variant of the Hermes ransomware. Probably the version 2.1.
Photo Credits: Internet Storm Center