Cybercriminals have a litany of techniques to get onto their victims’ IT systems: vulnerabilities, social networks, and even snail mail. The most popular method, however, is email: according to sources in the sector, 91% of cybercrime starts with a phishing email.
Quasar: a new version of a popular tactic
Towards the end of August, security researchers discovered a new phishing campaign that uses a particularly deceitful method to get malware onto a company’s system: the malware comes hidden in CVs that are sent as attachments, supposedly from someone looking for a job in the organization. Digital platforms have both upsides and downsides for the human resources department. On the one hand, they can help enormously to streamline the selection process. On the other hand, they have some glaring weak points, among which is IT security. Cybercriminals take advantage of the fact that companies receive dozens of documents related to their selection processes to send documents containing malware.
In the case analyzed, the malware that was delivered in the CVs is called Quasar, and is a remote access Trojan (RAT) that is popular among APTs. This indicates that this campaign is being carried out by professional cybercriminals who are seeking to use this tool to exploit their victims’ networks, steal their data, or even encrypt their systems with ransomware.
A deceptively simple campaign
At first glance, the campaign seems relatively simple—a malicious Word document attached to an email—but a more detailed investigation reveals that the attackers know exactly what they are doing. To begin with, the use of an easily accessible tool (Quasar is available on GitHub) makes attributing this campaign to any particular group much more difficult.
The Word document also contains several methods to evade detection: it is protected with a password and includes macros. The password it uses—123—is not especially innovative. However, for automated systems that analyze attachments and emails separately, it means that the document will be opened without detecting any malicious activity, since the system will not determine the need for a password to access the full information.
If an analyst or automated system were to try to analyze the macros, the script would likely fail and crash because the over 1,200 lines of garbage code it contains would use too much memory. This makes it very difficult to discover the URL of the final payload.
A final measure to avoid being detecting is the download of a Microsoft Self Extracting executable that unpacks a 401MB Quasar RAT binary. This artificially large file means that the RAT cannot be shared on VirusTotal, a website that provides cyberthreat analysis. As a result, it is very hard to analyze this threat.
Is there any way to avoid this threat?
Though it may seem as though this kind of threat is unstoppable, there are ways to avoid it. The first thing that needs to be done is to carry out awareness campaigns aimed at the weakest link in a company’s cybersecurity chain: its employees, regardless of which department they belong to.
It is essential that they are able to recognize suspicious emails, no matter how authentic they seem; that they know never to open attachments from unknown senders; and that, if they have even the slightest doubt, they must contact the IT department to ask them about the next steps to follow.
Another vital step is to have advanced cybersecurity solutions. Panda Adaptive Defense has anti-exploit technology that is able to detect malicious scripts and macros. It also continuously analyzes all system activity, as well as all active applications. This way, if it detects any activity that is suspicious or out of the ordinary, it can stop the process and thus stop the cyberthreat from damaging the organization.
Cybercriminal efforts to get into organizations and get around protection measures aren’t going to stop evolving and becoming more sophisticated. This is why it is vital that you keep an eye on your email, one of the most popular points of entry for cybercriminals, and that you stay up-to-date with the latest cybersecurity trends.