Keypoints
- Actors used spear-phishing themed as lecture/interview requests to initiate contact and lure replies.
- Malicious files were delivered using multiple container/formats: LNK, ISO, MSC, HWP, and weaponized docx/pdf lures.
- Phishing lure pages mimicked a “Secure Email” flow and redirected victims to credential-harvesting pages that emulate recipients’ mail services.
- Compromised credentials were used to redirect victims to attacker-controlled Google Drive hosting the expected lecture document, masking the theft.
- Malicious files and links were also distributed via cloud services such as OneDrive and Proton Drive.
- Investigators observed linguistic correlation across C2 servers and mailer accounts; Genian EDR flagged MSC-based attack behaviors.
MITRE Techniques
- [T1566] Phishing – Brief description: spear-phishing emails impersonated lecture/interview requests and used cloud links to deliver payloads. (‘Disguising malicious emails as legitimate requests for lectures or interviews.’)
- [T1203] Malware (as listed in article) – Brief description: multiple file types used to deliver and execute malicious code on victims’ systems. (‘Using various file types (LNK, ISO, MSC, HWP) to deliver malware.’)
Indicators of Compromise
- [Domain] phishing lure domains – cicctv.co[.]kr, dh00386[.]com, and 1 more domain (jinsungm[.]com) used for the “Secure Email” phishing pages.
- [IP Address] infrastructure IPs – 112.175.50[.]142, 183.111.161[.]156, and 112.175.85[.]243 associated with those domains.
- [File types] malicious delivery containers and lures – LNK, ISO (delivery), MSC (MS management console-based execution), HWP; docx/pdf used as visible lecture request lures.
- [Cloud services] delivery and hosting platforms – Google Drive (attacker-hosted lecture doc), OneDrive, Proton Drive used to distribute or host malicious files/links.
Attack flow and technical procedure: The campaign begins with tailored spear-phishing emails requesting lectures or interviews; the email body presents an attachment area labeled as a “Secure Document” that links to a phishing lure page. That lure page hosts a “View Secure Email” link which opens a credential-harvesting page mimicking the recipient’s mail service; harvested credentials are then used to redirect victims to an attacker-controlled Google Drive containing a benign-looking lecture document to conceal the compromise.
Malware delivery and execution: Malicious payloads are delivered via cloud-hosted links or downloadable containers in multiple formats (LNK, ISO, MSC, HWP). The threat actors leverage MSC-based tactics for follow-up execution (MS Management Console chains) and use weaponized document variants (docx/pdf) as social-engineering bait; defenders can detect anomalous MSC activity and related process chains with endpoint monitoring tools such as Genian EDR.
Infrastructure and detection notes: Investigators found linguistic correlation across C2 domains and mailer accounts and mapped phishing lure domains and associated IPs (see IOC list). Mitigations focus on blocking identified domains/IPs, enforcing multi-factor authentication to defend against credential harvesting, restricting execution of suspicious container types (LNK/MSC/ISO/HWP), and monitoring for unusual use of cloud-hosted documents and MSC execution chains.
Read more: https://www.genians.co.kr/blog/threat_intelligence/blueshark