By Howard Solomon, CSO Magazine
Click here to read the entire article.
HR staff need to understand that these unfamiliar files execute commands and shouldn’t be opened.
Threat actors are still having success tricking human resources staff into opening malware-infected phishing emails.
The latest example is detailed by researchers at Aryaka, who this week described a campaign by an unnamed threat actor who is distributing resumés containing a malicious ISO file to HR departments. It’s delivered through recruitment channels, and hosted on what an employee, or an email gateway’s filters, would see as trusted cloud infrastructure.
When the victim mounts the ISO, which is an archive of an optical disc such as a DVD, and opens its contents, a malicious shortcut (.lnk) is executed, launching obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image. A malicious DLL is then sideloaded using a legitimate signed application, allowing the attacker’s code to run under the guise of trusted software. The goal is to harvest data from the infected computer.
The malware’s most alarming feature, says Aryaka, is an internal module dubbed BlackSanta which shuts down endpoint detection and response (EDR) agents that would detect this attack. It deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique that loads legitimate but exploitable kernel drivers, gaining low-level system access, then systematically turns off security tools.