As the unemployment rate in the United States has soared beyond 20%, cybercriminals have devised yet another scheme to exploit the impact of the coronavirus.

In a new malware campaign spotted by cyber threat intelligence provider Check Point Research, attackers spoof job seekers by sending out emails with file attachments that claim to be curriculum vitae (CV). Instead, the files house malware capable of stealing user credentials and other private information. In a blog post published Thursday, Check Point explained how this campaign works.

SEE: Security Awareness and Training policy (TechRepublic Premium)

CV scam

Sent to employees at various businesses, the initial emails contain such subject lines as “applying for a job” or “regarding job.” The body of the email reads like a standard, albeit brief, cover letter with the alleged applicant expressing an interest in working for the company. Included in the email is a Microsoft Excel file with a name indicating that this is the person’s CV.

Check Point Research

If the unsuspecting employee clicks on the Excel attachment, a macro in the file runs and downloads its malicious payload, namely the Zloader malware. Labeled a banking trojan, Zloader stems from the Zeus malware, which tries to steal banking passwords and other financial data. If a device gets infected, the attackers could perform financial transactions using the compromised credentials.

These CV-themed campaigns have recently increased in the US, doubling over the past two months. Of all malicious files observed by Check Point, 1 out of every 450 is part of a CV scam.

Medical leave scams

To further take advantage of the coronavirus, another campaign is using phony medical leave forms to deploy a different banking Trojan. In this one, emails are sent to business employees with such subject lines as “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA).” Sent from various sender domains such as “,” the emails contain Microsoft Word attachments with names like “COVID-19 FLMA CENTER.doc.”

Opening the file attachment triggers a macro that launches the IcedID malware, a banking Trojan that attempts to steal financial data. This sophisticated campaign uses redirection to open clone websites and employs web injection to display fake content on top of the original pages.

A similar campaign uses the same Family and Medical Leave Act pitch but is sent from domains such as “” This attack deploys Trickbot, another banking Trojan that’s continually being enhanced with new capabilities.

In March, malware attacks decreased by 30% from January. Check Point attributed that decline to the coronavirus quarantining across many countries and organizations, thereby presenting attackers with a fewer number of potential targets. But as countries and businesses started to open up, cybercriminals are ramping up their activities, leading to a 16% increase in attacks in May, compared with March and April.

To help protect your organization against these specific types of malware attacks, Check Point offers a few tips:

  1. Educate HR and hiring managers on the risks of CVs and malicious active content that could be embedded in file attachments.
  2. Leverage technologies that “flatten” CVs to non-macro enabled formats.
  3. Be aware of malicious attackers seeking to obtain financial information beyond the initial phish.
  4. Watch out for well-known banking malware such as Zeus and its variants being reintroduced into the attack surface.
  5. Leverage security technologies that identify and prevent full coverage of these malware campaigns and Trojan/RAT droppers.