Infected attachment posing as a resume spreads bot, rogue antivirus

Dark Reading Staff, Dark Reading

May 14, 2010

2 Min Read

A targeted attack aimed at human resources departments and hiring managers in the U.S. and Europe was spotted this week -- and sent 250,000 emails during a four-hour period yesterday at the height of the assault.

Researchers at Websense Security Labs discovered the attack, which included the subject line "New resume" and came with a ZIP file attachment and what appeared to be a picture file. When opened, the files spreads bot malware and, ultimately, fake antivirus software.

"From what the Websense Security Labs has ascertained, the email campaign would be most relevant to HR departments and managers considering hiring. Employees in these types of roles would most likely be encouraged to view the attachments," says Carl Leonard, senior manager of security research for Websense Security Labs.

An executable inside the ZIP file contains the Oficla bot, according to the researchers; the bot connects to a command and control server in the domain, and also communicates with,,, and The malware issues a warning message that the victim's PC is "infected," and then it downloads the Security Essentials 2010 fake AV program.

Leonard says the attackers appear to be trying to make money both by selling fake AV and building out a botnet. "This attack installed a downloader onto the infected user's computer. This means that any payload could be delivered with different directives," he says.

This attack had morphed today, with a modified binary, different subject line, and different email message. "The theme was the same, though a prospective application with a CV attached. A CV campaign is still ongoing right now [as of 5:30 U.K. time], sending to hundreds of thousands of recipients," Leonard says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights