The malware is deployed via a Word document portraying itself as job availabilities within the Cisco Korea Portal. At first glance, users think they are opening a document that contains the job description, but in reality, it contains code strands that will download executable malicious files. Cisco has released a statement that they believe there is an expert attacker behind this campaign “Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker.” When the user downloads the “Job Description.doc,” a malicious file “jusched.exe” is extracted and placed in the %APPDATA%Roaming folder that is in the system. The C2 server is then contacted in an attempt to find further methods of execution. The three job portals in question are: www[.]secuvision[.]co[.]kr, ilovesvc[.]com, and www[.]syadplus[.]com.
Analyst Notes
The malware is deployed via a Word document portraying itself as job availabilities within the Cisco Korea Portal. At first glance, users think they are opening a document that contains the job description, but in reality, it contains code strands that will download executable malicious files. Cisco has released a statement that they believe there is an expert attacker behind this campaign “Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker.” When the user downloads the “Job Description.doc,” a malicious file “jusched.exe” is extracted and placed in the %APPDATA%Roaming folder that is in the system. The C2 server is then contacted in an attempt to find further methods of execution. The three job portals in question are: www[.]secuvision[.]co[.]kr, ilovesvc[.]com, and www[.]syadplus[.]com.
