Posing as recruiters, threat actors are delivering dangerous malware to unsuspecting job seekers thanks to the power of the Vampire Bot malware.
A hacking group known as BatShadow has launched a new attack which targets people searching for jobs, especially in marketing and corporate roles. Using fake job offers and documents, BatShadow trick their victims into running malicious files which install malware on their PCs. The malware at the center of the attack is called Vampire Bot. Built using the Go programming language, Vampire Bot is fast, efficient, and difficult for antivirus tools to detect.
While you may be actively seeking a new job, there’s a good chance that the mechanics of this attack could be employed within a different malware campaign. That’s why we’re going to show you exactly how it works and how to stay safe.
A New Threat Lurking in Job Offers
The scam starts when a target receives what looks like a genuine ZIP file from a recruiter or organization. Inside are documents that, on the surface, appear professional. Taking the form of job descriptions of onboarding materials, it’s difficult to tell that anything is suspicious. However, hidden among them is a malicious file disguised as a PDF. Once executed, it quietly activates a malicious script in the background.
This script connects to the hacker’s remote server, downloading a further PDF – claiming to be advertising a marketing job at Marriott – and further tools to give the hacker access. Within the fake PDF are a series of links which lead the target to malicious web pages. One of these pages will claim that the victim’s browser isn’t supported and, with some urgency, to open the file in Microsoft Edge. This technique is employed to help the hackers bypasses certain browser security protections.
Finally, the target is urged to download yet another PDF, this final one appears to be a job description but it’s actually an executable file. Once this is opened, it quickly installs Vampire Bot. The main objective of Vampire Bot is to harvest data. It collects system details, takes screenshots, and can communicate with the attacker’s command server. From there, the hacker can steal information or download additional malware to the infected PC.
The BatShadow group is believed to be operating from Vietnam. Investigators traced one of the IP addresses used in the attack to a source that had previously been attributed to Vietnamese hackers. But this latest campaign appears to indicate a step-up in their efforts, with the attack being more advanced and unfolding over multiple stages to deceive cybersecurity defenses.
How to Protect Your PCs from These Attacks
Fortunately, you don’t need a top-level degree in cybersecurity to stay safe from this and similar attacks. Instead, you just need to be cautious, so make sure you practice the following:
- Be Wary of Unsolicited Job Offers: If you’re not actively searching for a new job, you should be highly suspicious if you receive an unsolicited job offer with file attachments. If you do receive such as email, always verify through official channels before doing anything.
- Always Check File Extensions: When dealing with email attachments, always check that the files you’re about to open truly end with the correct file extensions e.g. pdf or docx. Files that appear with a genuine file extension and a .exe extension – such as pdf.exe – should instantly ring alarm bells
- Update your Software: It’s crucial that you regularly update your browser, operating system, and antivirus software. This helps your defenses stay on top of known exploits and emerging threats.
For more ways to secure and optimize your business technology, contact your local IT professionals.
