Source: Cyware | By Ryan Stewart
• Cisco Talos identified a malicious campaign posing itself a job posting in its Korean portal.
• A Word document containing the ‘job description’ is found to have a macro code when initiated downloads an executable file.
Korean candidates could face unexpected obstacles while applying for Cisco jobs as a new malicious campaign has emerged with fake job postings under the networking company’s name on various job portals.
It has come to light that this campaign is spreading through a Word document disguised as a job posting on Cisco Korea portal. The ‘Job Description.doc’ contains parts of a code that downloads a malicious executable file.
In fact, the content in the document matches legitimate job descriptions put out by Cisco, which are publicly available on their site.
Expert attacker
In its blog post on this campaign, Cisco informed that this might be the work of an expert attacker. “Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker, “ it mentioned.
If the user downloads ‘Job Description.doc’, it extracts a malicious PE32 executable file called “jusched.exe” into the %APPDATA%\Roaming folder in the system. The PE32 file then attempts to contact a C2 server to check for additional instructions to execute on the system.
Additionally, the blog also highlighted how the attacker(s) managed to hide four API calls in the PE32 file so that it would make static analysis very difficult for security analysts.
A total of three legitimate job portals were said to be compromised in order to inject malicious content which includes www[.]secuvision[.]co[.]kr, ilovesvc[.]com, and www[.]syadplus[.]com.
Cisco has urged job applicants to be wary of suspicious documents lurking on these online job portals.
* Lead image used for representational purposes only.
