All those people looking for a new position should beware: A targeted malware campaign disguised as a job posting is attempting to compromise specific organizations, researchers found.
The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites, said researchers at Cisco Talos.
This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.
During researchers investigation of the campaign, they found more cases linked to multiple previous attacks associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP).
Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker, researchers said in a post.
This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible.
The malicious document purports to relate to an employment opportunity with Cisco in Korea with the name “Job Descriptions.doc,” researchers said. The contents of the document match legitimate job descriptions that are available online.
These campaigns demonstrate the increasingly sophisticated nature of attacks that are being leveraged by threat actors attempting to compromise organizations around the world.
In this most recent campaign, the attackers took the content of legitimate job postings and used that in an attempt to add legitimacy to the malicious Office documents delivered to potential victims.
The use of the same TTPs across multiple campaigns over a long period demonstrates this threat actor has been operational for years, and is continuing to operate to achieve their mission objectives, researchers said.