The campaign was picked up by U.S.-based Websense Inc. Wednesday morning, when the sudden blast of messages took place. The company's European research manager, Carl Leonard, said on Thursday: "The campaign was confined to a very short period of time. Yesterday morning we saw 230 million messages. This morning we saw just 13. The malware authors really do make their campaigns short and sweet."
The spam messages came with a subject line of 'New Resume' and the text read "Please review my CV, thank you!" or had a similar message enquiring about a vacancy. Some attachments appeared as JPEG files and others as ZIP compressed files.
If recipients click on the attachment, it immediately unpacks an executable dropper program, which connects to a URL in the davidopolko.ru domain for its command-and-control functions. At the time of the attack, just more than half of the AV vendors had detection for this attack, according to the VirusTotal website.
According to Leonard, the program then modifies the victim computer's registry, slows the machine, and loads a rogue antivirus program.
"It slows down the machine, to convince the user the machine has been infected, and changes the desktop. It then throws up some dialogue boxes that are very difficult to get rid of," Leonard said. "Eventually it takes you to a website that appears to have security certificates, which looks like a legitimate AV site."
In truth, the machine is infected and can be infected with whatever additional payload the malware authors choose to send. "Every few days, it seems the payload could change and the user has a machine that is pretty unusable," Leonard said.
Although it seems the CV spam attacks are not targeted at specific HR professionals, Leonard said the campaign was cleverly timed to appeal to any recipient who might be involved in recruiting staff.
"The people who were most likely to look at it would also have access to sensitive data. HR staff usually have access to employee databases, so that could be one of the reasons why they chose this particular trick," he said.
He also warned that infected computers could be used not only as bots to send out more spam, but also to access sensitive information on the user's network. He also warned that we can expect to see more of this kind of attack.
"Malicious attachments over email are back," Leonard said. "That technique had died down for a while; now we see a big resurgence."