A cyber-espionage gang associated with North Korea has been seen using job-themed phishing lures to target potential victims in the energy and aerospace verticals and infect them with MISTPEN, an as-yet-undocumented backdoor.
Under the codename UNC2970, the activity cluster is being monitored by Google-owned Mandiant, which claims that it coincides with the TEMP threat group.Hermit, also known as Diamond Sleet (previously Zinc) or Lazarus Group in general.
Since at least 2013, the threat actor has a history of targeting international financial, defense, telecommunication, and government organizations in an effort to gather strategic intelligence that advances North Korean interests. It is associated with the General Bureau of Reconnaissance (RGB).
The threat intelligence company reported that it has seen multiple entities in the United States, the United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia being singled out by UNC2970.
“UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies,” it said in a new analysis, adding it copies and modifies legitimate job postings according to their target profiles.
“Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees.”
The attack chains, also referred to as Operation Dream Job, involve interacting with victims via email and WhatsApp using spear-phishing lures in an effort to gain their trust before forwarding a malicious ZIP archive file that appears to be a job description.
A curious quirk is that the description’s PDF file can only be viewed with a malicious copy of Sumatra PDF, a genuine PDF reader program that is included in the download and is used to distribute MISTPEN through BURNBOOK, a launcher.
It is important to clarify that neither a supply chain assault nor a software vulnerability are implied by this. Instead, it has been discovered that the assault uses an outdated version of Sumatra PDF that has been modified in order to start the infection chain.
Mandiant and Microsoft both emphasize the use of a variety of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers for these attacks. This is a tried-and-true technique that the hacking group has been using since 2022.
It is thought that the threat actors most likely give the victims instructions on how to open the PDF file with the accompanying weaponized PDF reader tool in order to cause the malicious DLL file, BURNBOOK, a C/C++ launcher, to execute.
“This file is a dropper for an embedded DLL, ‘wtsapi32.dll,’ which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted,” Mandiant researchers said. “MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor.”
The loader embedded in BURNBOOK, TEARPAGE, is in charge of decrypting and starting MISTPEN. MISTPEN is a C-based lightweight implant that can download and run Portable Executable (PE) files from a command-and-control (C2) server. The following Microsoft Graph URLs are compatible with it through HTTP.
Additionally, Mandiant reported that it had discovered earlier BURNBOOK and MISTPEN artifacts, implying that these are being continuously enhanced to offer more functionality and enable them to evade detection. It has also been found that the initial MISTPEN samples were using hacked WordPress websites as C2 domains.
“The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples,” the researchers said.
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
