Experts at security firm Cofense observed an advanced phishing campaign delivering Quasar RAT via fake resumes.
The use of multiple anti-
The fake resumes distributed in this phishing campaign detected are password-protected Microsoft Word documents. The samples analyzed by the experts used ‘123’ as
Experts observed that attackers are using a trick to evade the detection, the macro was developed to crash analysis tools.
“If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘
Researchers discovered that parts of the payload URL, along with additional information, are hidden as meta-data for embedded images and objects.
If the macro is successfully executed, it will display a series of images claiming to be loading content while it is repeatedly adding a garbage string to the document contents. This process will cause the system to display an error message while downloading and running a malicious executable in the background.
The last trick adopted by attackers to avoid detection is to download a Microsoft Self Extracting executable, then the Quasar RAT is dropped on the now compromised system.
(SecurityAffairs – phishing campaign, hacking)