HR and Recruiters Hit by Year-Long Malware Attack

A sophisticated and long-running malware campaign has specifically targeted human resources professionals and recruitment specialists, according to recent cybersecurity findings. This operation, believed to have been active for over a year, employs advanced techniques to evade detection and disable security software on compromised systems. The stealthy nature of the attack suggests a highly targeted effort aimed at gathering sensitive information from within organizations.

The infection chain begins with a deceptive resume-themed ISO file distributed through recruitment channels, likely via spam emails. Potential victims are directed to download this file from cloud storage services like Dropbox. When mounted, the ISO appears as a normal local drive, containing what seems to be a PDF document. This file is actually a disguised Windows shortcut with a hidden extension. Executing it triggers a sequence that launches Command Shell and PowerShell, ultimately running a malicious script from the mounted drive.

This initial PowerShell script performs a clever data extraction. It pulls hidden code from an image file to create and run another script in memory. This secondary script downloads a ZIP archive from attacker-controlled domains with names mimicking legitimate resume services. The archive contains two files: a legitimate application and a malicious DLL. The attackers use a technique called DLL sideloading, where the clean application is forced to load the harmful DLL, thereby executing the malware.

Stealth is a paramount objective for this threat actor. The malicious DLL first gathers basic system information and contacts a command-and-control server. It then conducts a series of checks for analysis environments, including virtual machines, debuggers, and sandboxes. If any are detected, the malware immediately terminates. It also halts execution if it determines the infected machine is located in Russia or a Commonwealth of Independent States country, hinting at the operators’ origins.

To further evade defenses, the malware modifies Windows registry keys to disable cloud-based protection and automatic sample submissions to Microsoft. It also checks system settings related to memory integrity, which could affect later stages of the attack. Additional steps are taken to mask the operational “noise” created by the payload. Finally, after downloading more modules from the server, the malware uses process hollowing, a method where a legitimate process is hijacked and its memory replaced with malicious code, to launch them.

Researchers uncovered that this threat actor also uses a previously undocumented tool dubbed BlackSanta, an EDR killer module. This component loads vulnerable, signed kernel-mode drivers to gain high-level access to system memory and processes. Rather than a simple auxiliary tool, BlackSanta acts as a dedicated defense-neutralization module that programmatically identifies and interferes with security and monitoring processes. By targeting endpoint detection engines and logging agents, it directly reduces alerts, limits behavioral logging, and cripples investigative capabilities on compromised hosts.

The ultimate goal of this campaign appears to be data theft. While researchers could not retrieve the final payload due to an unavailable command server, analysis of related infrastructure strongly suggests the deployment of information-stealing modules. The prolonged, low-noise operation indicates a deliberate focus on infiltrating HR and recruitment departments, where access to vast amounts of personal and corporate data can be found.

(Source: HelpNet Security)