Cisco Talos have discovered that attackers leveraged a malicious Cisco job themed document based off of content from a legitimate Cisco job posting. A Microsoft Word document containing malicious macros was used to drop malware. The macros extract an encoded executable, drop it onto the file system, and execute it. Upon execution, the binary establishes a connection to a C2 server in order to receive an additional payload.
At the time of analysis, the second-stage payload was no longer available so the exact purpose of the final payload is unable to be determined. Cisco Talos researchers identified malware samples from 2017 that appear to be connected to this campaign. These additional samples were job-themed Word documents, used very similar encoding and obfuscation techniques and performed the same functions.
Cisco Talos believes that this campaign and the campaigns associated with the previous samples are likely connected to the same threat actor. Additionally, they note that the TTPs seen in the campaigns indicate a sophisticated attacker.
Indicators of Compromise