misp-circl-feed/feeds/circl/misp/5c5201f6-e414-4dc2-be61-4f4502de0b81.json

{
  "Event": {
    "analysis": "2",
    "date": "2019-01-30",
    "extends_uuid": "",
    "info": "OSINT - Cisco Job Posting Targets Korean Candidates",
    "publish_timestamp": "1548878721",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1548878619",
    "uuid": "5c5201f6-e414-4dc2-be61-4f4502de0b81",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#004646",
        "local": false,
        "name": "type:OSINT",
        "relationship_type": ""
      },
      {
        "colour": "#0071c3",
        "local": false,
        "name": "osint:lifetime=\"perpetual\"",
        "relationship_type": ""
      },
      {
        "colour": "#0087e8",
        "local": false,
        "name": "osint:certainty=\"50\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878338",
        "to_ids": false,
        "type": "link",
        "uuid": "5c520202-8d5c-44ca-8470-40ce02de0b81",
        "value": "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878356",
        "to_ids": false,
        "type": "text",
        "uuid": "5c520214-741c-4008-8f48-e23902de0b81",
        "value": "Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process. \r\n\r\nDuring our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible."
      },
      {
        "category": "Network activity",
        "comment": "The C2 server used in this campaign was ilovesvc[.]com, another example of a legitimate website that had been compromised by the threat actor and used to host malicious content.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878477",
        "to_ids": false,
        "type": "domain",
        "uuid": "5c520233-b77c-4045-b967-4abc02de0b81",
        "value": "ilovesvc.com"
      },
      {
        "category": "Payload delivery",
        "comment": "the Office document",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878405",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c520245-4460-41ab-b89e-405b02de0b81",
        "value": "bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b"
      },
      {
        "category": "Payload delivery",
        "comment": "PE32",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878423",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5c520257-fdd4-4c61-8b0f-445902de0b81",
        "value": "1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878458",
        "to_ids": false,
        "type": "hostname",
        "uuid": "5c52027a-a0a8-492d-8ed5-43ee02de0b81",
        "value": "www.secuvision.co.kr"
      },
      {
        "category": "Network activity",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878458",
        "to_ids": false,
        "type": "hostname",
        "uuid": "5c52027a-b1b0-45dd-8c9c-4ac702de0b81",
        "value": "www.syadplus.com"
      },
      {
        "category": "Payload delivery",
        "comment": "Screenshot of the word document",
        "data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4QBgRXhpZgAASUkqAAgAAAACADEBAgAHAAAAJgAAAGmHBAABAAAALgAAAAAAAABHb29nbGUAAAMAAJAHAAQAAAAwMjIwAqAEAAEAAABABgAAA6AEAAEAAAB9BAAAAAAAAP/bAIQAAwICCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICggICAgJCQkICAsNCggNCAgJCAEDBAQGBQYIBgYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI/8AAEQgEfQZAAwEiAAIRAQMRAf/EAB0AAQABBQEBAQAAAAAAAAAAAAAGAQIEBQcICQP/xABoEAABBAECAwMFCA4IAgYGARUBAAIDBAUREgYTIQcUMQgVIkFRFhgzU5GS0dMjJDI0UlRhcXKBk5Sy8AlCVXOVsbPUocEXJTVDdNImYnW0wuE2RYKEo7XxJ0RWY3aDojeW5BlGZGXE/8QAGwEBAAIDAQEAAAAAAAAAAAAAAAEDAgQFBgf/xABEEQEAAQIBCQQIBAQFAwQDAAAAAQIRAwQSExUhMVFSkhZB0eEFU2FxkaGi0gYiMoEUQmKTM7HB4vBDcoIHI1SyNETC/9oADAMBAAIRAxEAPwD6nWLAaCSdAFoZ+NYWkgkjTp4KvGsxbCSFIAEEa93sHtT3ewe1SVEEa93sHtT3ewe1SVNUEa93sHtT3ewe1SUKuiCM+72D2p7vYPapKii4jXu9g9qe72D2qSopEa93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SVFFxGvd7B7U93sHtUm0TRSIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaII9BxtC46An9S3tawHDUHUFXlaHgucuiBJ1/wDvlB+PHnwB/UpISo3x58Af1KRuUSLXPWmv8bU4vhbdaP8ATmjb/E4Lw35bXHOUZmTUo2LbGCoyYx1ZJQegeZHlsZHotaNXH1DReWMvjsnMRzmXZSYuf9kEzyYdu/nekCeXs9IuPo+HVenyX0JpqKMSrFinPi8R3uHj+kpoqqopombd/c+zWMzMUzBJDJHNGdQHxObI0kHQ6OaSDofHr0WYCvA/kpYihNjqkMpz7ZpJXs305cjDSaS9wBD4HNgZ/wCsflXpnsOhdDbzFLmzSw1J67YTYlfPK0SQcxwdLIS53UjTUrlZRkeiqri8zm8YteLxGzb7W/g5RnxTNt/B2BquVrVcubE3huvzL1XmLyzwBin5HO5qCxbuiKvI0wshtzwtZuc4dAx7fUNPALrn/QTW/G8p/iVv61bWLgU4U2qr7ondxi6+qiKd8913Sd6vaV5U7Y8I/GZLBsrXL+yzaLZmy3LEzXNbJBtG17yOu9w9nUr1U1Y4mDmU01XvFcTMftNmNdGbETe91yoSqrX57MtrxPlfrtYNTp4/mVCpnEqoK83RdpBntiWeeaGEaERxF3UeIBDXDqfzeC6rR7ZaD9GiRw9Wr2lvyl3rQT1Fj1bjZAHMcHNPgQQQVkICIiAqEoVDu1LtEjxlSSy8bi3oxg8Xu9QH5fX6/BZ0UTXVFNMXmWFVUUxeUuc5U3rhXZzeys9a/fuu5bJqr3VoW6gx7WvcH69PSI066A9F5b4czOWd3WeXJXYa09h0TZufNK1j2vYDuZvYCz0vAuC6eD6PnFmuNJTGZ79vsj2ubiZfFGbObVaqfZs9s7X0d1VVq+HtRBCC/mkRR6yabeYdjfT01O3d46a+tbMFcqdk29tnUibxdVEVFCVUREBERAREQEREBERAREQEREBERARUK0HEfHlKmWi3br1i/UsE8scW7Tx27yNdPyIJAi1+Dz0NmMTV5Y5ona7ZInNex2njo5pIKzXv06/zogvRRB/azjBHzjkKYi5nJ5hsRbOaBuMe7dpvDRqW+K2mF4yq2YnTV7MM8TN26SKRj2N2jV2rmu0Gn5fBBu0WowHFFe0zm1Z4rEe4t5kMjZGbhpq3c0kajXTTVW4ji6rYfLFBYhmkgcWTMjka98TgS3bI1p1a4EEEEepBuUUcxPaHRnmdXhuVpZ2bt0MczHyt2fdaxtduG316hLHaHQZYFR12s20SAK5njExJGoHLLt2ugPQBBI0VmqxaWXikdI2ORj3RO2SBrgSx+gIa8Dq0kEHr6igzUWBFl4zK6ASMMzWCR0W4F4Y46BxaDuDT4AkLOQVRYNnLxskjidIxskgcY4y4B7wzQvLWnqQwEEkJBl43vkibIx0kW3mMBBczeNW72jq3cBqNfEdUGcitcVgVs3E90rWSsc6E7ZmhzSYnFu8NkAPonaQ7r6kGxRRGXtYxjY+c7I0xFvMRkNmIM5jdSWbi4DcB1LfFSTGZKOaNksT2yRyNDmSMIcx7T4FrhqCD7UGUiwbOWjZJHE6RjZJt3KY5wD5Njdz9jToXbW9Tp4KPntXxnO7v5w
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1548878544",
        "to_ids": false,
        "type": "attachment",
        "uuid": "5c5202d0-e2fc-4be4-bf46-406f02de0b81",
        "value": "image11.jpg"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1548878618",
        "uuid": "db2f6f9a-9fd2-4815-ab19-3e80b630afee",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "db2f6f9a-9fd2-4815-ab19-3e80b630afee",
            "referenced_uuid": "83ffea5f-5ac1-4359-a694-73fe84275425",
            "relationship_type": "analysed-with",
            "timestamp": "1548878619",
            "uuid": "5c52031b-148c-4b18-beb5-41af02de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "md5",
            "uuid": "572e564c-fe17-4783-b26f-c0c43c78fef1",
            "value": "c067345667eded99610e51042a14081a"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "sha1",
            "uuid": "0d1f612a-fd63-4544-94f4-80d518d10e85",
            "value": "ea9bd89535c250c7bb7d98d10971ca586a574c53"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "sha256",
            "uuid": "38112b03-a033-4106-8a1a-fcfc5959b18e",
            "value": "1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1548878619",
        "uuid": "83ffea5f-5ac1-4359-a694-73fe84275425",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "datetime",
            "uuid": "2f301aee-3a07-4315-a9fe-35f15b9d6423",
            "value": "2017-07-03T03:11:00"
          },
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "link",
            "uuid": "e6031ce3-dc7d-4d15-a1ea-635e060a2f02",
            "value": "https://www.virustotal.com/file/1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a/analysis/1499051460/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "text",
            "uuid": "36547772-c3a7-4c9a-a7ad-cf22d140afe5",
            "value": "32/62"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "11",
        "timestamp": "1548878619",
        "uuid": "30e63e4f-a33b-4e63-85a6-37485fb077a2",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "30e63e4f-a33b-4e63-85a6-37485fb077a2",
            "referenced_uuid": "4dcb8302-c888-44dc-bb62-d35f09261019",
            "relationship_type": "analysed-with",
            "timestamp": "1548878619",
            "uuid": "5c52031b-db50-484e-b4ec-48de02de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "md5",
            "uuid": "2eba6971-80b4-45a0-b749-84f304462525",
            "value": "fbd1cd15019c0dd6659a59bc93b8596f"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "sha1",
            "uuid": "624befbd-35c5-4cc8-8e5c-efe6a0b32328",
            "value": "050dbe26683f5d39c8773da4a4b7d3dd28addc00"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1548878619",
            "to_ids": true,
            "type": "sha256",
            "uuid": "823ed46d-d453-4180-8e97-77c90cd6d35b",
            "value": "bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "2",
        "timestamp": "1548878619",
        "uuid": "4dcb8302-c888-44dc-bb62-d35f09261019",
        "Attribute": [
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "datetime",
            "uuid": "e27a0948-b861-4c5a-8bed-1e7733ad3f54",
            "value": "2019-01-30T10:52:43"
          },
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "link",
            "uuid": "61389d49-4a4d-4917-bbef-dce3db7cffae",
            "value": "https://www.virustotal.com/file/bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b/analysis/1548845563/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1548878619",
            "to_ids": false,
            "type": "text",
            "uuid": "ae01b2c6-6e9f-4e1e-93e7-5fc722af7bcd",
            "value": "34/58"
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"Event": {`
			`"analysis": "2",`
			`"date": "2019-01-30",`
			`"extends_uuid": "",`
			`"info": "OSINT - Cisco Job Posting Targets Korean Candidates",`
			`"publish_timestamp": "1548878721",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1548878619",`
			`"uuid": "5c5201f6-e414-4dc2-be61-4f4502de0b81",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#004646",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "type:OSINT",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0071c3",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:lifetime=\"perpetual\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#0087e8",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "osint:certainty=\"50\"",`
			`"relationship_type": ""`
			`},`
			`{`
			`"colour": "#ffffff",`
chg: [feed] updated 2024-04-05 12:15:17 +00:00			`"local": false,`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"name": "tlp:white",`
			`"relationship_type": ""`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878338",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5c520202-8d5c-44ca-8470-40ce02de0b81",`
			`"value": "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878356",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5c520214-741c-4008-8f48-e23902de0b81",`
			"value": "Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process. \r\n\r\nDuring our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible."
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "The C2 server used in this campaign was ilovesvc[.]com, another example of a legitimate website that had been compromised by the threat actor and used to host malicious content.",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878477",`
			`"to_ids": false,`
			`"type": "domain",`
			`"uuid": "5c520233-b77c-4045-b967-4abc02de0b81",`
			`"value": "ilovesvc.com"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "the Office document",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878405",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5c520245-4460-41ab-b89e-405b02de0b81",`
			`"value": "bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "PE32",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878423",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5c520257-fdd4-4c61-8b0f-445902de0b81",`
			`"value": "1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878458",`
			`"to_ids": false,`
			`"type": "hostname",`
			`"uuid": "5c52027a-a0a8-492d-8ed5-43ee02de0b81",`
			`"value": "www.secuvision.co.kr"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878458",`
			`"to_ids": false,`
			`"type": "hostname",`
			`"uuid": "5c52027a-b1b0-45dd-8c9c-4ac702de0b81",`
			`"value": "www.syadplus.com"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "Screenshot of the word document",`
			"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4QBgRXhpZgAASUkqAAgAAAACADEBAgAHAAAAJgAAAGmHBAABAAAALgAAAAAAAABHb29nbGUAAAMAAJAHAAQAAAAwMjIwAqAEAAEAAABABgAAA6AEAAEAAAB9BAAAAAAAAP/bAIQAAwICCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICggICAgJCQkICAsNCggNCAgJCAEDBAQGBQYIBgYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI/8AAEQgEfQZAAwEiAAIRAQMRAf/EAB0AAQABBQEBAQAAAAAAAAAAAAAGAQIEBQcICQP/xABoEAABBAECAwMFCA4IAgYGARUBAAIDBAUREgYTIQcUMQgVIkFRFhgzU5GS0dMjJDI0UlRhcXKBk5Sy8AlCVXOVsbPUocEXJTVDdNImYnW0wuE2RYKEo7XxJ0RWY3aDojeW5BlGZGXE/8QAGwEBAAIDAQEAAAAAAAAAAAAAAAEDAgQFBgf/xABEEQEAAQIBCQQIBAQFAwQDAAAAAQIRAwQSExUhMVFSkhZB0eEFU2FxkaGi0gYiMoEUQmKTM7HB4vBDcoIHI1SyNETC/9oADAMBAAIRAxEAPwD6nWLAaCSdAFoZ+NYWkgkjTp4KvGsxbCSFIAEEa93sHtT3ewe1SVEEa93sHtT3ewe1SVNUEa93sHtT3ewe1SUKuiCM+72D2p7vYPapKii4jXu9g9qe72D2qSopEa93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SbRNEEZ93sHtT3ewe1SVFFxGvd7B7U93sHtUm0TRSIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaIIz7vYPanu9g9qk2iaII9BxtC46An9S3tawHDUHUFXlaHgucuiBJ1/wDvlB+PHnwB/UpISo3x58Af1KRuUSLXPWmv8bU4vhbdaP8ATmjb/E4Lw35bXHOUZmTUo2LbGCoyYx1ZJQegeZHlsZHotaNXH1DReWMvjsnMRzmXZSYuf9kEzyYdu/nekCeXs9IuPo+HVenyX0JpqKMSrFinPi8R3uHj+kpoqqopombd/c+zWMzMUzBJDJHNGdQHxObI0kHQ6OaSDofHr0WYCvA/kpYihNjqkMpz7ZpJXs305cjDSaS9wBD4HNgZ/wCsflXpnsOhdDbzFLmzSw1J67YTYlfPK0SQcxwdLIS53UjTUrlZRkeiqri8zm8YteLxGzb7W/g5RnxTNt/B2BquVrVcubE3huvzL1XmLyzwBin5HO5qCxbuiKvI0wshtzwtZuc4dAx7fUNPALrn/QTW/G8p/iVv61bWLgU4U2qr7ondxi6+qiKd8913Sd6vaV5U7Y8I/GZLBsrXL+yzaLZmy3LEzXNbJBtG17yOu9w9nUr1U1Y4mDmU01XvFcTMftNmNdGbETe91yoSqrX57MtrxPlfrtYNTp4/mVCpnEqoK83RdpBntiWeeaGEaERxF3UeIBDXDqfzeC6rR7ZaD9GiRw9Wr2lvyl3rQT1Fj1bjZAHMcHNPgQQQVkICIiAqEoVDu1LtEjxlSSy8bi3oxg8Xu9QH5fX6/BZ0UTXVFNMXmWFVUUxeUuc5U3rhXZzeys9a/fuu5bJqr3VoW6gx7WvcH69PSI066A9F5b4czOWd3WeXJXYa09h0TZufNK1j2vYDuZvYCz0vAuC6eD6PnFmuNJTGZ79vsj2ubiZfFGbObVaqfZs9s7X0d1VVq+HtRBCC/mkRR6yabeYdjfT01O3d46a+tbMFcqdk29tnUibxdVEVFCVUREBERAREQEREBERAREQEREBERARUK0HEfHlKmWi3br1i/UsE8scW7Tx27yNdPyIJAi1+Dz0NmMTV5Y5ona7ZInNex2njo5pIKzXv06/zogvRRB/azjBHzjkKYi5nJ5hsRbOaBuMe7dpvDRqW+K2mF4yq2YnTV7MM8TN26SKRj2N2jV2rmu0Gn5fBBu0WowHFFe0zm1Z4rEe4t5kMjZGbhpq3c0kajXTTVW4ji6rYfLFBYhmkgcWTMjka98TgS3bI1p1a4EEEEepBuUUcxPaHRnmdXhuVpZ2bt0MczHyt2fdaxtduG316hLHaHQZYFR12s20SAK5njExJGoHLLt2ugPQBBI0VmqxaWXikdI2ORj3RO2SBrgSx+gIa8Dq0kEHr6igzUWBFl4zK6ASMMzWCR0W4F4Y46BxaDuDT4AkLOQVRYNnLxskjidIxskgcY4y4B7wzQvLWnqQwEEkJBl43vkibIx0kW3mMBBczeNW72jq3cBqNfEdUGcitcVgVs3E90rWSsc6E7ZmhzSYnFu8NkAPonaQ7r6kGxRRGXtYxjY+c7I0xFvMRkNmIM5jdSWbi4DcB1LfFSTGZKOaNksT2yRyNDmSMIcx7T4FrhqCD7UGUiwbOWjZJHE6RjZJt3KY5wD5Njdz9jToXbW9Tp4KPntXxnO7v5w
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1548878544",`
			`"to_ids": false,`
			`"type": "attachment",`
			`"uuid": "5c5202d0-e2fc-4be4-bf46-406f02de0b81",`
			`"value": "image11.jpg"`
			`}`
			`],`
			`"Object": [`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1548878618",`
			`"uuid": "db2f6f9a-9fd2-4815-ab19-3e80b630afee",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "db2f6f9a-9fd2-4815-ab19-3e80b630afee",`
			`"referenced_uuid": "83ffea5f-5ac1-4359-a694-73fe84275425",`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`"relationship_type": "analysed-with",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"timestamp": "1548878619",`
			`"uuid": "5c52031b-148c-4b18-beb5-41af02de0b81"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "md5",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "572e564c-fe17-4783-b26f-c0c43c78fef1",`
			`"value": "c067345667eded99610e51042a14081a"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha1",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "0d1f612a-fd63-4544-94f4-80d518d10e85",`
			`"value": "ea9bd89535c250c7bb7d98d10971ca586a574c53"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "38112b03-a033-4106-8a1a-fcfc5959b18e",`
			`"value": "1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "2",`
			`"timestamp": "1548878619",`
			`"uuid": "83ffea5f-5ac1-4359-a694-73fe84275425",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "2f301aee-3a07-4315-a9fe-35f15b9d6423",`
			`"value": "2017-07-03T03:11:00"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "e6031ce3-dc7d-4d15-a1ea-635e060a2f02",`
			`"value": "https://www.virustotal.com/file/1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a/analysis/1499051460/"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "36547772-c3a7-4c9a-a7ad-cf22d140afe5",`
			`"value": "32/62"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "11",`
			`"timestamp": "1548878619",`
			`"uuid": "30e63e4f-a33b-4e63-85a6-37485fb077a2",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "30e63e4f-a33b-4e63-85a6-37485fb077a2",`
			`"referenced_uuid": "4dcb8302-c888-44dc-bb62-d35f09261019",`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`"relationship_type": "analysed-with",`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`"timestamp": "1548878619",`
			`"uuid": "5c52031b-db50-484e-b4ec-48de02de0b81"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "md5",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "2eba6971-80b4-45a0-b749-84f304462525",`
			`"value": "fbd1cd15019c0dd6659a59bc93b8596f"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha1",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "624befbd-35c5-4cc8-8e5c-efe6a0b32328",`
			`"value": "050dbe26683f5d39c8773da4a4b7d3dd28addc00"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1548878619",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "823ed46d-d453-4180-8e97-77c90cd6d35b",`
			`"value": "bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "2",`
			`"timestamp": "1548878619",`
			`"uuid": "4dcb8302-c888-44dc-bb62-d35f09261019",`
			`"Attribute": [`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "e27a0948-b861-4c5a-8bed-1e7733ad3f54",`
			`"value": "2019-01-30T10:52:43"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "61389d49-4a4d-4917-bbef-dce3db7cffae",`
			`"value": "https://www.virustotal.com/file/bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b/analysis/1548845563/"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1548878619",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "ae01b2c6-6e9f-4e1e-93e7-5fc722af7bcd",`
			`"value": "34/58"`
			`}`
			`]`
			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`]`
chg: [gen] updated 2023-12-14 14:30:15 +00:00			`}`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`