Analysis of the attacks revealed the use of a trojanized version of a curriculum vitae (CV) to target the human resources department at German-speaking businesses. The observed source email addresses were created through vodafonemail.de.
During the initial phase of the attack, code within the CV file runs a script to fetch additional payloads and fingerprint the victim machine (installed programs, computer name and domain, etc). Next, the script attempts to gather saved credentials from browsers and mail applications, cookies, and credit card data, and kills task hosts and DLL hosts processes.
Stolen credentials are archived and sent to the attackers’ command and control (C&C) server, and then a scheduled task is created to serve as a heartbeat beacon. A BAT file then deletes all traces of the intrusion.
