Fake CVs, Real Threat

Phishing Delivery: Attackers distributed recruitment emails targeting the hospitality sector, pretending to be job seekers.

Dropbox Link: The emails contain a Dropbox link leading to a VBS file masquerading as a resume (e.g., SusyCV.vbs).

VBS Loader: The multi-stage loader verifies the victim’s location and environment before delivering a likely Remcos RAT payload.

Trusted Hosting: The VBS file is hosted on Dropbox, making it harder for security filters to flag as malicious.

Geofencing: The malware executes only if the victim is in the UK, New Zealand, Australia, or Canada.

Anti-Sandboxing: The loader checks if it’s running in a virtualized or analysis environment before executing the final payload.

Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.