Job Application Lures Use Dropbox-Hosted Resume to Deliver Remote Access Trojan
Attack Overview
Step 1: Email
Attackers send recruitment-themed emails posing as job seekers. The message includes a Dropbox link to a file labeled as a resume (e.g., SusyCV.vbs), targeting hiring managers in the hospitality industry.
- The email mimics a standard job application message.
- It includes a Dropbox-hosted file masquerading as a resume.
- Targets are encouraged to review the file as part of the hiring process.
Step 2: Execution of VBS Loader
The downloaded file is a Visual Basic Script, not a resume. This VBS script acts as a loader, executing a series of checks before delivering its payload.
- The script verifies the user’s location (geofencing).
- It checks for sandbox or virtualization environments.
- These steps help the malware avoid early detection.
Step 3: Malware Payload Deployment
If all checks pass, the loader delivers a likely instance of Remcos RAT, enabling attackers to remotely access the infected machine and carry out further malicious activity.
- The final payload is a remote access trojan.
- It enables full system compromise and potential lateral movement.
- Targets may experience data theft or surveillance.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The VBS file is hosted on Dropbox, a trusted file-sharing platform.
- The malware only executes in specific geographies, limiting exposure.
- Anti-sandbox techniques help the loader avoid detection during analysis.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Anomalies in sender behavior and email structure.
- Suspicious use of file-sharing links claiming to be resumes.
- NLP-driven understanding of email context around job applications.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.