UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN backdoors to victims through phishing emails pretending to be job recruiters. 

The group targeted the energy and aerospace industries, copying job descriptions and engaging with victims via email and WhatsApp.

It modifies job descriptions to target specific victims in U.S. critical infrastructure, which aim to align the job requirements with the victim’s profile and target senior-level employees to gain access to confidential information.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Researchers found a malicious archive with a fake job PDF targeting the energy sector. The PDF omitted specific details from the legitimate job description to avoid suspicion. 

The victim opened a malicious ZIP archive containing a PDF lure and a trojanized SumatraPDF component. The trojan, upon system reboot, executes the MISTPEN backdoor, compromising the victim’s system.

The trojanized PDF viewer program, based on the open-source SumatraPDF project, exploited a vulnerability in the modified code to execute malicious code when a specific PDF file was opened.

The SumatraPDF executable loads a trojanized libmupdf.dll file, which decrypts the BAE job description PDF and loads a backdoor named MISTPEN, which is a modified Notepad++ plugin that writes an encrypted backdoor to disk and creates a scheduled task to execute it daily using BdeUISrv.exe and wtsapi32.dll.

An analysis reveals that BURNBOOK, a malicious launcher, leverages a modified SumatraPDF DLL as a payload. Triggered by opening a PDF lure, the DLL decrypts and writes the encrypted payload to disk. 

The PDF lure contains the encryption key and nonce necessary for decryption, as the encrypted PDF file embedded within a larger file is decrypted in chunks using the ChaCha20 cipher initialized with key and nonce extracted from the container.

After reaching a specific offset, the function reads the size of the encrypted backdoor DLL and decrypts it using the ChaCha20 cipher, which is then loaded into SumatraPDF.exe’s memory for execution.  

The malware persists by copying files to %APPDATA% and re-encrypts the backdoor code with the same key and nonce, saving it to Thumbs.ini, and then schedules a daily task to execute the backdoor.

MISTPEN, a C-based backdoor, downloads and executes PE files after decrypting a token with a hardcoded AES key to communicate with Microsoft Graph APIs for potential data exfiltration.

The backdoor can execute PE payloads, terminate the process, sleep for specified intervals, or hibernate with updated sleep times, sending corresponding messages to its C2 to indicate status or completion.

The malware hijacks BdeUISrv.exe’s DLL search order to load TEARPAGE, a loader that decrypts a ChaCha20-encrypted backdoor DLL from %APPDATA%\Thumbs.ini.

The decrypted backdoor, MISTEPN, is then reflectively loaded into BdeUISrv.exe’s memory space and executed.

Mandiant analysis reveals MISTPEN malware evolution with added persistence, configuration saving, and improved C2 infrastructure compared to earlier versions.

UNC2970, a North Korean cyber espionage group, uses job-themed phishing emails to deliver malicious archives via WhatsApp, targeting victims in various countries, which is similar to UNC4034’s past actions and aligns with their interest in strategic intelligence.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial