Fast Facts
- Malicious LNK files disguised as resumes deliver backdoor malware by exploiting legitimate decoys and DLL side-loading, bypassing user suspicion.
- Attackers establish persistence via scheduled tasks mimicking legitimate services and download encrypted malicious components for stealthy execution.
- Threat actors leverage file disguises and scheduled tasks to embed backdoors like Xctdoor, enabling persistent remote command and control communications.
Threat Overview, Attack Techniques, and Targets
The threat involves malicious shortcut files disguised as resumes. Threat actors name these files to resemble real resumes, including company names and job titles. When a user opens the file, the attack begins. A legitimate-looking document opens as a decoy, but malicious scripts are also triggered in the background. These scripts download more malicious files from external servers.
The attack uses multiple techniques to maintain persistence. They register tasks in the Task Scheduler, adding entries like “office365” that run scripts periodically. Files are also added to the Startup folder. These actions let the malware run even after rebooting the system.
The attack targets corporate environments, especially departments like recruitment, sales, and customer service. These teams often receive external resume files. Because these files look normal and are easy to open, they are common targets.
Impact, Security Implications, and Remediation Guidance
This attack allows threat actors to infect systems with backdoor malware, such as Xctdoor. Once infected, systems can communicate with external command-and-control (C2) servers. The malware may also inject malicious DLL files into legitimate programs using DLL side-loading. This technique tricks the system into running harmful code disguised as legitimate software.
The impact includes potential data theft, system control loss, and further malware spread. It is difficult to detect because the attack uses legitimate-looking files, scheduled tasks, and persistent techniques. These methods hide malicious activity from usual security scans.
For response, security teams should check the Task Scheduler for suspicious entries like “office365.” Suspicious files such as ProximityCommon.DLL, settings.dat, and MicrosoftBing.LNK should be identified and deleted from the user profile paths. Employees must verify the file extension and source before opening resume or document files from external sources.
Remediation guidance should be obtained from the relevant vendor or security authority to ensure proper removal and protection strategies.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
