Phishing Campaign Uses Fake Resumes for Credential Theft and Crypto Mining

Severity: High (Score: 63.9)

Sources: Escudodigital, Thehackernews

Summary

A phishing campaign is targeting French-speaking corporate environments by using fake resumes to deploy malware that steals credentials and mines cryptocurrency. The attackers utilize highly obfuscated VBScript files disguised as CV documents, delivered via phishing emails. Once executed, the malware initiates a toolkit for credential theft, data exfiltration, and Monero mining. The campaign, named FAUX#ELEVATE, employs legitimate services like Dropbox and Moroccan WordPress sites for its operations. The initial VBScript triggers a fake error message to deceive users into executing it with administrative privileges. The malware can disable security controls and erase its tracks quickly, completing its attack chain in approximately 25 seconds. This campaign poses a significant risk to enterprise security due to its speed and stealth. The researchers from Securonix have identified specific email accounts used for exfiltration of stolen data. Key Points: • Phishing campaign targets French-speaking corporate environments with fake CVs. • Malware deploys credential theft and Monero mining tools within 25 seconds. • Attackers use legitimate services for command and control operations.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Faux#elevate (campaign)
• duck.com (domain)
• mail.ru (domain)
• T1047 - Windows Management Instrumentation (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• Chromium-based Browsers (platform)
• Microsoft Defender (platform)
• Windows (platform)
• WordPress (platform)
• Dropbox (tool)
• ChromElevator (tool)
• VBScript (tool)