Hackers use fake resumes to get into businesses and install a crypto miner.

Fake resumes are being sent to French-speaking businesses as part of an ongoing phishing campaign This article explores vbscript virus steals. . These resumes lead to the installation of cryptocurrency miners and information thieves.

"Once the malware is run, it installs a toolkit that can steal credentials, steal data, and mine Monero cryptocurrency for the most money." The cybersecurity company has given the activity the code name FAUX#ELEVATE. The campaign is interesting because it misuses real services and infrastructure, like using Dropbox to store payloads, Moroccan WordPress sites to host command-and-control (C2) configuration, and mail[. ]ru SMTP infrastructure to steal browser credentials and desktop files.

This is an example of a "living off the land" attack that shows how attackers can get around defenses and get into a target's system without being noticed.

The first dropper file is a Visual Basic Script (VBScript) that shows a fake French-language error message when you open it. This makes people think the file is broken. But behind the scenes, the heavily obfuscated script runs a series of checks to get around sandboxes and gets stuck in a User Account Control (UAC) loop that keeps asking users to run it with administrator rights.

Only 266 of the script's 224,471 lines actually contain code that can be run. The rest of the script is full of junk comments with random English sentences that make the file 9.7MB bigger.

"The malware also uses a domain-join gate with WMI [Windows Management Instrumentation] to make sure that payloads are only sent to enterprise machines and not to standalone home systems," the researchers said. Once the dropper has administrative rights, it quickly disables security controls and hides its tracks by setting up Microsoft Defender exclusion paths for all primary drive letters (from C to I), turning off UAC through a Windows Registry change, and deleting itself.

The dropper is also in charge of getting two different password-protected 7-Zip archives hosted on Dropbox: gmail2.7z has different executables for stealing data and mining cryptocurrency, while gmail_ma.7z has tools for cleaning up and staying in touch. One of the tools used to steal credentials is a part of the ChromElevator project that gets around app-bound encryption (ABE) protections to get sensitive data from Chromium-based browsers.

Some of the other tools are mozilla.vbs, a VBScript virus that steals Mozilla Firefox profile and credentials walls.vbs is a VBScript payload that steals files from a desktop. mservice.exe is an XMRig cryptocurrency miner that starts up after getting the mining configuration from a hacked Moroccan WordPress site. WinRing0x64.sys is a legitimate Windows kernel driver that unlocks the CPU's full mining potential.

RuntimeHost.exe is a persistent Trojan component that changes Windows Firewall rules and talks to a C2 server on a regular basis. After stealing credentials and exfiltrating data, the attack chain starts an aggressive cleanup of all dropped tools to leave behind only the miner and trojan.

Securonix said, "The FAUX#ELEVATE campaign shows a well-planned, multi-stage attack operation that uses a number of interesting methods in a single infection chain." "The speed of execution is what makes this campaign especially dangerous for enterprise security teams. The full infection chain takes about 25 seconds to complete, from the first VBS execution to the theft of credentials.

The campaign also only targets domain-joined machines, which means that every compromised host provides maximum value through corporate credential theft and persistent resource hijacking."