May 11, 2010

New Malspam: Please review my CV, Thank you!

Tim Xia

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new job-search related malware spam outbreak today. The spam is designed to be sent to the inboxes of Human Resources people to infect their computers, and asks them to review a CV without claiming what position the application is for. Moreover, some attachments are disguised as picture files which might catch some email recipients off-guard and make them open the attachment. We have seen more than 230,000 samples in 4 hours this morning, and the number is increasing quickly.

Snapshot of the spam:

Inside the ZIP file is an executable that contains the Oficla bot. This connects to a URL in the davidopolko.ru for its C&C functions. It also connects to topcarmitsubishi.com.br, get-money-now.net, mamapapalol.com and li1i16b0.com. Just over half of the AV vendors have detection for this attack according to VirusTotal.

Once run it changes the wallpaper telling you that your PC is infected.

After which it downloads and installs a Rogue AV called Security essentials 2010.

Update: Added more domains the malware connects to.

Websense Messaging and Websense Web Security customers are protected against this attack.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.