Below we see a perfectly crafted "Spearphish" email sent to a victim. This email is very well articulated, and will fool a lot of people, and it did.
All the links except the Jobseeker tool download link is legitimate. This link hxxp://www.google.com/pagead/iclk?sa=l&ai=DOWNLOAD_MONSTER_SOFTWARE_&uni_link_
lid=3495c4865cd6a86d556c9a057399195a5a02206 will download the file, it appears at the time of writing that this link is dead, and the server used to serve the link has been secured.
This specific email was spread on July the 6th, we know that the first infections occurred on late afternoon July the 5th, the first big name was infected July the 6th.
Now for the second vector, which is more sinister, so bare with me!
There has been a lot of talk lately about the "Russian Business Network" or RBN, who run "bulletproof hosting" from sunny Panama. A lot of malware we see has various ties to this organized unit. They are very high up in the malware food chain. From our database we can track a lot of things, which is a blog post for another day, but using the data we have within our database, we found that NTOS.EXE has ties back to a dropper used by a malware operation run by the RBN.
A brief overview of what happens follows -
You visit a malicious website, you get redirected to one of a few "autorooters" one located on hxxp://s[xx].*siesettings.com, this will probe your browser for a myriad of exploits, and if successful will deploy a single file onto your machine. This file does many things, including checking what Operating system you have, what security software you have, where you are from etc. Once this is done you will get your own personalized batch of malware deployed to your machine. We can see that a few select users were infected with NTOS.EXE via this method, on the 8th of July based on their Location . Only users within the USA were served this file using this method.
This attack was semi targeted, using modern day personalized malware deployment methods, we will see a lot more of this in the months to come.