Friday, December 6, 2024
HomeBackdoorUNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

Published on

SIEM as a Service

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN backdoors to victims through phishing emails pretending to be job recruiters. 

The group targeted the energy and aerospace industries, copying job descriptions and engaging with victims via email and WhatsApp.

It modifies job descriptions to target specific victims in U.S. critical infrastructure, which aim to align the job requirements with the victim’s profile and target senior-level employees to gain access to confidential information.

- Advertisement - SIEM as a Service

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Researchers found a malicious archive with a fake job PDF targeting the energy sector. The PDF omitted specific details from the legitimate job description to avoid suspicion. 

Original vs. modified

The victim opened a malicious ZIP archive containing a PDF lure and a trojanized SumatraPDF component. The trojan, upon system reboot, executes the MISTPEN backdoor, compromising the victim’s system.

The trojanized PDF viewer program, based on the open-source SumatraPDF project, exploited a vulnerability in the modified code to execute malicious code when a specific PDF file was opened.

The SumatraPDF executable loads a trojanized libmupdf.dll file, which decrypts the BAE job description PDF and loads a backdoor named MISTPEN, which is a modified Notepad++ plugin that writes an encrypted backdoor to disk and creates a scheduled task to execute it daily using BdeUISrv.exe and wtsapi32.dll.

Infection lifecycle diagram

An analysis reveals that BURNBOOK, a malicious launcher, leverages a modified SumatraPDF DLL as a payload. Triggered by opening a PDF lure, the DLL decrypts and writes the encrypted payload to disk. 

The PDF lure contains the encryption key and nonce necessary for decryption, as the encrypted PDF file embedded within a larger file is decrypted in chunks using the ChaCha20 cipher initialized with key and nonce extracted from the container.

The embedded PDF file is decrypted using the cipher

After reaching a specific offset, the function reads the size of the encrypted backdoor DLL and decrypts it using the ChaCha20 cipher, which is then loaded into SumatraPDF.exe’s memory for execution.  

The malware persists by copying files to %APPDATA% and re-encrypts the backdoor code with the same key and nonce, saving it to Thumbs.ini, and then schedules a daily task to execute the backdoor.

MISTPEN, a C-based backdoor, downloads and executes PE files after decrypting a token with a hardcoded AES key to communicate with Microsoft Graph APIs for potential data exfiltration.

The backdoor can execute PE payloads, terminate the process, sleep for specified intervals, or hibernate with updated sleep times, sending corresponding messages to its C2 to indicate status or completion.

A pseudocode representation of the malicious code in wtsapi32.dll

The malware hijacks BdeUISrv.exe’s DLL search order to load TEARPAGE, a loader that decrypts a ChaCha20-encrypted backdoor DLL from %APPDATA%\Thumbs.ini.

The decrypted backdoor, MISTEPN, is then reflectively loaded into BdeUISrv.exe’s memory space and executed.

Mandiant analysis reveals MISTPEN malware evolution with added persistence, configuration saving, and improved C2 infrastructure compared to earlier versions.

UNC2970, a North Korean cyber espionage group, uses job-themed phishing emails to deliver malicious archives via WhatsApp, targeting victims in various countries, which is similar to UNC4034’s past actions and aligns with their interest in strategic intelligence.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...