Fake Cisco Job Posting Targets Korean Candidates
Contents
Edmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An.
Executive summary
Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.
During our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, …
Executive summary
Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.
During our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, …
IoC
1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a
7af59922d4c1b4f2d589cb2853afb543b37a1f23da0cf0180a693f9748e05906
809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58
adfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3
bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b
cd2e8957a2e980ffb82c04e428fed699865542767b257eb888b6732811814a97
e259aa1de48fd10b7601c4486b841428fbd6cd1a4752cf0d3bbe1799116ae6e6
http://ilovesvc.com
http://www.secuvision.co.kr
http://www.syadplus.com
7af59922d4c1b4f2d589cb2853afb543b37a1f23da0cf0180a693f9748e05906
809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58
adfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3
bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b
cd2e8957a2e980ffb82c04e428fed699865542767b257eb888b6732811814a97
e259aa1de48fd10b7601c4486b841428fbd6cd1a4752cf0d3bbe1799116ae6e6
http://ilovesvc.com
http://www.secuvision.co.kr
http://www.syadplus.com