Researchers at Proofpoint recently discovered that some posted résumés at Career Builder were thinly disguised rootkits. The attacker uploaded malicious attachments instead of résumés.

In this case, the malicious message is sent by Career Builder instead of the hacker making it look more legit. Plus the recipients are expecting to receive résumés.

Once the document is opened, the exploited vulnerability will place a binary on the system that downloads and unzips an image file, which in turn installs the Sheldor rootkit. 7Zip is included with the dropper, so everything happens at once.


Proofpoint said in an advisory: "This inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users. Instead of a new employee, the victim organizations welcome a dangerous piece of malware."

"Moreover, it is important to note that job search services are themselves also victims in this attack because they are being exploited to deliver malicious attachments that bypass organizations’ existing defenses and even user training."

Source: Csoonline