Security Alert
Barkly Research
Dec 2017

New Spam Campaign Uses Fake Resumes, Legitimate Microsoft BITS Feature to Spread Malware


A new wave of spam emails is delivering evasive malware via fake job applications and resumes.

Key Details

  • Timely attack campaign: Attackers are taking advantage of the New Year, a time when hiring initiatives and the number of job applications companies recieve is up, to send fake resumes hiding malware.
  • Word document attachments are password-protected: This allows them to evade detection from sandboxing and filtering.
  • Attack abuses legitimate Windows tool: Once enabled, a macro embedded in the Word document launches Windows Background Intelligent Transfer Service (BITS) to download the payload (a trojan called "Smoke Loader"). Because it is a legitimate service, use of BITS can bypass detection and whitelisting.
  • Malware payload is stealthy and difficult to remove: Once on a machine, the Smoke Loader trojan evades detection by injecting itself into legitimate processes and establishes persistence by making changes to the registry.
  • Barkly blocks Smoke Loader: Barkly blocks the Smoke Loader payload from executing, but also prevents it from even touching the machine by blocking the execution of the malicious Word document macro. 
  • empty
  • empty
  • empty

See what the Smoke Loader attack looks like and watch Barkly block it.
See Barkly in action

A new wave of malicious phishing emails is currently infecting victims with Smoke Loader, malware that provides remote control to perform a plethora of activities ranging from stealing credentials to downloading other malware payloads.

According to My Online Security, the trojan is being delivered via a spam campaign that utilizes password-protected Word document attachments, which allows them to evade sandboxes (because they require human interaction to open) and make email and AV scanning more difficult.

With the new year right around the corner, tis the season of recruiting and job applications, and these nefarious actors are leveraging that to their benefit. The email is floating around with the subject line of ‘Website Job Application’ and is just convincing enough to potentially persuade a busy end user to open the attachment. 


"Website Job Application" spam email. Source: My Online Security

The Word document

On opening the file, the user is prompted for the password (123456), and after successful login, the user is asked to run the macro by clicking the Enable Editing or Enable Content button.


Fake resume Word document attachment.

The Word document is embedded with VBA macros, which contains the ‘AutoClose’ function that prohibits it from running until the Word document has been closed — another technique utilized to avoid sandbox analysis.

Abusing Windows Background Intelligent Transfer Service (BITS) to download the payload

At this point, instead of launching PowerShell to download a payload from the Internet — as we've seen the majority of similar malware campaigns do — this campaign utilizes Background Intelligent Transfer Service (bitsadmin.exe), a legitimate Microsoft command-line tool. In non-malicious cases, BITS is used to create valid download or upload jobs, primarily for Windows and third-party software updates. In this case, however, it’s abused to download the malicious Smoke Loader payload.

For more details on how attackers can abuse BITS to download malware, see this post from SecureWorks.


Embedded macro.

Because BITS is a valid component of Windows, use of it can blend into legitimate system activity and be very difficult for many security solutions to detect. This tactic of "living off the land" is a dangerous trend we've seen gaining traction throughout the year. 

The Smoke Loader payload

Smoke Loader, also known as “Dofoli, ” is downloaded from hxxp:// (a domain in Africa) and is renamed as ASxas.exe. It is primarily used to download a variety of other malware onto the infected machine. Recent examples include the TrickBot banking trojan, GlobeImposter ransomware, and most currently, cryptocurrency miners.

What makes Smoke Loader interesting is the various tricks it has up its sleeve, which includes:

  • injecting its code into legitimate processes like explorer.exe and svchost.exe to evade detection
  • stealing credentials from browsers, email and FTP clients, etc.
  • adding registry entries to achieve persistence and load itself on each startup
  • disabling some AV solutions

Because of its evasive, persistent nature, it is important to prevent Smoke Loader infections from taking hold in the first place. The best way to do that is by reminding users not to trust documents they receive over email, blocking macros in Office files downloaded from the Internet (here's how to use Group Policy to do that), and using a solution like Barkly designed to provide defense in depth against these attacks.

Watch Barkly block this attack before the payload can be delivered 


Blocking old and new techniques that deliver malware

Gaining control of machines via spam emails is one of the oldest tricks in the book for attackers. Yet they’re constantly introducing new variations and techniques to this routine in attempts to bypass security.

Barkly, unlike traditional AVs, is designed to provide protection against malware like Smoke Loader at multiple stages of the attack chain. Not only does it prevent the trojan from executing, it prevents the macro embedded in the Word document from launching, thereby stopping the attack before the payload can even touch the machine. As a result, no damage is incurred.



Learn more about how Barkly's protection works and how it can protect your company here.


  • Word-doc: d16987127fb303ccee876d2b3ec3798f4d31a659b2a5da32be598f2c32d48a21
  • SmokeLoader: f181aafa4cc93117631f2376cb3543d7f4f6c0570cf95cb8bb526e99ab56f095
Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.