The spam messages came with a subject line of 'New Resume' and the text read "Please review my CV, thank you!" or had a similar message enquiring about a vacancy. Some attachments appeared as JPEG files and others as ZIP compressed files.
If recipients click on the attachment, it immediately unpacks an executable dropper program, which connects to a URL in the davidopolko.ru domain for its command-and-control functions. At the time of the attack, just more than half of the AV vendors had detection for this attack, according to the VirusTotal website.
According to Leonard, the program then modifies the victim computer's registry, slows the machine, and loads a rogue antivirus program.
"It slows down the machine, to convince the user the machine has been infected, and changes the desktop. It then throws up some dialogue boxes that are very difficult to get rid of," Leonard said. "Eventually it takes you to a website that appears to have security certificates, which looks like a legitimate AV site."
In truth, the machine is infected and can be infected with whatever additional payload the malware authors choose to send. "Every few days, it seems the payload could change and the user has a machine that is pretty unusable," Leonard said.
"The people who were most likely to look at it would also have access to sensitive data. HR staff usually have access to employee databases, so that could be one of the reasons why they chose this particular trick," he said.
He also warned that infected computers could be used not only as bots to send out more spam, but also to access sensitive information on the user's network. He also warned that we can expect to see more of this kind of attack.
"Malicious attachments over email are back," Leonard said. "That technique had died down for a while; now we see a big resurgence."