Cisco Blogs

My Resume Protects All Your Files

- June 5, 2015 - 6 Comments

This post was authored by Nick Biasini

Talos has found a new SPAM campaign that is using multiple layers of obfuscation to attempt to evade detection.  Spammers are always evolving to get their messages to the end users by bypassing SPAM filters while still appearing convincing enough to get a user to complete the actions required to infect the system. The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today. Whether its Exploit Kits or SPAM messages threat actors are pushing as many different variants of Ransomware as possible.

Email Details

The use of resume based SPAM isn’t anything new.  An analysis of our telemetry has found countless messages in the last 30 days related to Resumes. Threat actors have tried many different techniques associated with these messages including using password protected zip files, word documents with embedded macros, and malicious URLs redirecting back to a malicious sample. This threat combined a series of techniques to try and avoid detection that has been surprisingly successful against some products. Below is a sample of one of the emails that we saw in our telemetry.

Sample Email

Sample Email

The concept for the email is simple enough with an attached zip file that contains a resume. One interesting thing is that the threat actor made it look like a reply to an existing email and not something that was sent unsolicited. Also, note the filesize this is only a 276 byte zip file. Inside that zip file is an HTML file that will look something similar to resume4522.html. Below are the contents of the HTML file:

<iframe src=”http://<redacted>/cgi/resume2.php?id=726″  width=”911″ height=”818″ style=”position:absolute;left:-10118px;”></iframe>

If the user does open the HTML document they are redirected to a compromised WordPress site that redirects via another iframe to the following URL via SSL:

The file stored in Google Drive at this location is named This is where the actual malicious file resides. Inside this zip file is another file that will look something like my_resume_pdf_id_6721-3921-3211.scr. When executed this file is dropping Cryptowall on the system and compromising it. Below is a diagram showing the full infection path.

Infection Chain for this Campaign

Infection Chain for this Campaign

This is another example of how attackers are combining multiple layers of obfuscation to get users infected and this particular technique appears to be quite successful. An analysis of the malicious URL in question showed that a large number of users that received the email were seen attempting to download the file from the compromised WordPress site. These attacks are successful because these types of emails are seen legitimately as well. If they happen to reach someone who is in the process of hiring or evaluating candidates they are likely to open the attachments and follow the process. In the past we have seen campaigns similar to this but the malicious file was present inside the zip file and not hidden through multiple layers of redirection via iframes. This also allows a threat actor to vary the payload by doing nothing more than changing the file stored on the google drive.


This is yet another threat that is delivering Ransomware. The amount of threats that have started delivering Ransomware is growing at an alarming rate. Talos recently discussed an Angler Exploit Kit campaign delivering Cryptowall 3.0 and this threat is doing the same. One interesting thing is the amount of small variations that are being seen in Cryptowall 3.0 now. The hashes are changing often allowing for a longer window of exploitation. You can track the effectiveness by looking at tools like VirusTotal. When the SPAM campaign starts the detection is limited to only a couple Antivirus technologies and none of them successfully detect it as Ransomware.  Within 24 hours the detection is up to over 25 Antivirus engines and the campaign is over. Now the attackers will start a new campaign through Exploit Kit or SPAM using a new hash and get that initial 24 hour window of success. This is something Talos has observed in other common threats like Dridex and Upatre. It appears that threat actors are now adding Ransomware to this group of ever evolving, ever present threats on the Internet.


Zip Files

Cryptowall 3.0


Threat actors are always looking at ways to monetize their activities. In the past this would involve things like banking credentials, SPAM generation, or other monetary value credentials. Now we are seeing threats deliver Ransomware in every way possible. As users continue to pay the ransom bad guys will keep figuring out new ways to get it installed on your system. This is just another example of this type of behavior and now hiding in multiple layers of obfuscation. Embedding an HTML document that links to a compromised site which redirects to a file hosted on a Google Drive over SSL. That is an effective way to get a file on an end system. Combine that with an ever evolving Ransomware variant that giving you a window of up to 24 hours where, if you can get the file on the desktop, you are likely to get it executed. Once executed it’s just a matter of time before the user pays the ransom to get their files back.

If you haven’t been infected by Ransomware yet the likelihood is either you or someone you know will be in the future. Remember that the best way to counter these effects is to backup your data early and often. Additionally, use best practices like not keeping the drives attached to the system or even rotating two drives to decrease the potential for severe data loss. The cost of doing these backups is small compared to the cost of paying the ransom or loosing the data and remember paying the ransom just encourages more development. Additionally, even if you pay the ransom there is no guarantee that anything has been removed from your system and the possibility of persistent infection remains.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

ESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their campaign


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    Thanks for the heads up !! Seeing an increase in this type of Spam campaign. Keep up the great work!!

  1. Hi First, I’d like to thank Talos for the great Cryptowall description. Last week one computer in my environment was targeted with Cryptowall 3.0. It was an old box, almost unused, but during attack it was mapped to two important network resources. One of them was located on Windows 2003 Server (yes, it’s still running here!) and the second was on Samba server based on Linux. Some of the files on Samba share was damaged according to their file extension, but NONE of the Win’2003SRV files was hurt. I found four infamous “HELP_DECRYPT” files written down to root directory on Win’2003 share, but no file was damaged and “HELP_DECRYPT” files didn’t occur on subsequent directories. Can you explain, is there any fundamental reason, why Cryptowall was unable to harm files on Win’2003 share? If yes, is it possible to build other resources in such way to prevent Cryptowall doing it’s bloody work. The user connected to Win’2003 had read/write access to all files on this share, but without full control.

    Definitely useful information. Cryptowall has been a major pain for a lot of our clients.

    excellent work from Talos

    Thanks and great report!