Researchers at Websense Security Labs discovered the attack, which included the subject line "New resume" and came with a ZIP file attachment and what appeared to be a picture file. When opened, the files spreads bot malware and, ultimately, fake antivirus software.
"From what the Websense Security Labs has ascertained, the email campaign would be most relevant to HR departments and managers considering hiring. Employees in these types of roles would most likely be encouraged to view the attachments," says Carl Leonard, senior manager of security research for Websense Security Labs.
An executable inside the ZIP file contains the Oficla bot, according to the researchers; the bot connects to a command and control server in the davidopolku.ru domain, and also communicates with topcarmitsubishi.com.br, get-money-now.net, mamapapalol.com, and li1i16b0.com. The malware issues a warning message that the victim's PC is "infected," and then it downloads the Security Essentials 2010 fake AV program.
Leonard says the attackers appear to be trying to make money both by selling fake AV and building out a botnet. "This attack installed a downloader onto the infected user's computer. This means that any payload could be delivered with different directives," he says.
This attack had morphed today, with a modified binary, different subject line, and different email message. "The theme was the same, though a prospective application with a CV attached. A CV campaign is still ongoing right now [as of 5:30 U.K. time], sending to hundreds of thousands of recipients," Leonard says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.