SonicWALL UTM Research team observed a new wave of Resume spam campaign starting at noon today. The e-mails contain a zip archive attached which contains the malicious executable file inside it. This is different from the FakeAV html campaign that we reported last week.
Resume spam campaign involves e-mails pretending to contain CV document attached with the e-mail. This spam theme was last used by Bredolab authors back in July, 2010. SonicWALL UTM Research team has received more than 20,000 e-mail copies from this spam campaign so far and it is still going on.
Some of the E-mail subjects we have seen in this campaign so far:
Sample e-mail messages looks like:
The zip archive attachment contains a malicious executable file - cv.exe which is a new variant of FakeAV Downloader Trojan. Upon execution, it leads to the download and installation of FakeAV malware on the victim machine and asks for payment.
It attempts to connect to multiple malicious domains to download malware executables and related configuration files:
The following files are dropped onto the victim machine:
If the user attempts to open any other legitimate executable file, the FakeAV malware will block the application launch and display a fake infection message as seen below for Calculator program:
As seen before in other FakeAV malware analysis, it subsequently starts scanning the system files and displays more fake infections prompting the user to purchase the application in order to clean up the infections.
SonicWALL Gateway AntiVirus provides protection against this FakeAV Downloader Trojan by GAV: Kryptik.AJD (Trojan) signature.
Share This Article
An Article By
An Article By
Security News
Security News