A cyber espionage group linked to North Korea has been seen using leverage phishing lures for jobs to target potential victims in the energy and aerospace verticals and infect them with a previously undocumented backdoor called MISPPEN.
The activity cluster is tracked by Mandiant, owned by Google, under a pseudonym UNC2970which he said coincides with a threat group known as TEMP. Hermitwhich is also commonly referred to as the Lazarus Group or Diamond Sleet (formerly Zinc).
The threat actor has a history of attacking government, defense, telecommunications and financial institutions around the world since at least 2013 to gather strategic intelligence supporting North Korea’s interests. It is associated with the General Directorate of Intelligence (RGB).
The threat intelligence firm said it observed UNC2970 targeting various organizations located in the US, UK, Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.
“UNC2970 targets victims under the guise of job vacancies, posing as a recruiter for well-known companies.” said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.
“Furthermore, the selected job descriptions target senior/management employees. This indicates that the threat actor is seeking to gain access to confidential and sensitive information that is normally restricted to senior-level employees.”
The attack chains, also known as Operation Dream Job, involve using phishing lures to interact with victims via email and WhatsApp in an attempt to build trust before sending a malicious ZIP archive dressed as a job description.
Interestingly, the description PDF file can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included in the MISTPEN delivery archive using a launcher called BURNBOOK.
It should be noted that this does not involve attacks on the supply chain and does not have vulnerabilities in the software. Rather, it was found that the attack used an old version of Sumatra PDF that had been repurposed to activate the infection chain.
This is a tried and tested method adopted by a group of hackers back in 2022, both from Mandiant and Microsoft highlighting the use of a wide range of open source software for these attacks, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software.
It is believed that the threat actors are likely to instruct victims to open the PDF file with the included weaponized PDF viewer in order to launch the execution of the malicious DLL file, a C/C++ launcher called BURNBOOK.
“This file is a dropper for the embedded DLL ‘wtsapi32.dll’, which is tracked as TEARPAGE and is used to execute the MISTPEN backdoor after a system reboot,” Mandiant researchers said. “MISTPEN is a trojan version of the legitimate Notepad++ plugin, binhex.dll, which contains a backdoor.”
TEARPAGE, the bootloader built into BURNBOOK, is responsible for decrypting and running MISPPEN. A lightweight implant written in C, MISPEN is equipped to load and execute Portable Executable (PE) files received from the Command and Control Server (C2). It communicates via HTTP with the following Microsoft Graph URLs.
Mandiant also claimed to have discovered older BURNBOOK and MISPPEN artifacts, suggesting they are periodically upgraded to add more capabilities and allow them to fly under the radar. The first samples of MISTPEN also used compromised WordPress sites as C2 domains.
“The threat actor has refined its malware over time, introducing new features and adding network connectivity checks to thwart sample analysis,” the researchers said.
