Hackers using malicious CV files to infect PCs with banking trojan

Here’s why one should never open unknown files sent by anonymous users.

A New CV-themed phishing campaign distributes banking trojan – This also highlights why one should never open unknown files sent by anonymous users.

Check Point researchers have released their latest report highlighting an increase in ‘CV-themed’ campaigns mainly in the USA, and in some parts of the UK and Romania. The researchers noted that organizations are being trapped through bogus CVs sent to their official emails. 

The phishing campaign works in such a way that the emails received by organizations in the US contain MS Excel .xls attachments loaded with ZLoader malware.

For your information, ZLoader malware is an equally notorious variant of Zeus malware and can perform a variety of tasks including stealing the victim’s login credentials, password, web browser cookies, and private data.

ZLoader malware also functions as banking Trojan, therefore, its prime targets are financial institutions and bank customers.


The attackers are using common subject lines like “regarding a job,” or “applying for a job” to lure victims into opening the email and click on the attachment.

When the victim opens the attachment, a message appears asking the user to ‘enable content’, and as soon as this is done, a malicious macro is activated that downloads the final payload.

 Hackers using malicious CV files to infect PCs with banking trojan
Image: Check Point

After the device gets infected, the attackers can carry out financial transactions easily using the device.

See: Hackers leak data of 29 million Indian job seekers for download

The emails received by organizations in the UK come with the subject line “CV from China” and the malicious .exe file (CV.exe) file is dropped by an ISO file (CV.iso), which runs an information-stealing malware on the device.

According to a blog post published by Check Point, there are some campaigns where another banking Trojan called Icedid malware is delivered through Medical Leave forms. It is worth noting that previously anti-virus giant McAfee’s ClickProtect Email Protection service was also infected with Icedid malware.


The same malware was also dropped as additional payload in a campaign aiming at stealing passwords and credit/debit card numbers from Chrome and Firefox browsers.

As for the ongoing campaign; emails containing infected documents titled “COVID-19 FLMA CENTER.doc” and having subject lines like “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA)” are also identified by Check Point researchers.

Another campaign is delivering the Trickbot banking Trojan in which the same FMLA trick is employed to distribute malware. 

 Hackers using malicious CV files to infect PCs with banking trojan
Image: Check Point

Furthermore, researchers observed that during the month of May, around 250 new domains involving the word “Employment” were registered, out of which 7% were infected and 9% were suspicious.

Similarly, the ratio of CV-themes phishing campaigns has also doubled in the past two months as one out of every 450 malicious files is a CV scam. 


Evidently, threat actors are trying to cash-in on the COVID-19-led economic crisis that’s rendered countless people unemployed to obtain sensitive financial data.

Last month, Hackread.com had exclusively reported on the growing trend of registering Coronavirus-themed domains and researchers fear that these domains will be used for attacks against unsuspecting users already under lockdown.

See: How to Write a Resume for a Cybersecurity Position

Therefore, refrain from opening any email that contains the subject line related to employment or CV or Coronavirus. You can use VirusTotal to scan for malicious files and URLs or install reliable anti-virus software to scan your system regularly.

Related Posts