Pirrico
Registered User
- Posts
- 70
- Posts Power
- 70.0%
- Liked
- 16
- Joined
- Sep 17, 2024
North Korean hackers, linked to the notorious Lazarus Group, have launched a sophisticated cyber-espionage campaign targeting energy and aerospace industries. The operation, tracked by Mandiant as UNC2970, employs job-themed phishing lures to infiltrate organizations across multiple countries, including the U.S., U.K., and Australia. The attackers pose as recruiters from prominent companies, tailoring job descriptions to attract senior-level employees with access to sensitive information.
The attack, dubbed "Operation Dream Job," begins with spear-phishing emails and WhatsApp messages to build trust with potential victims. The hackers then send a malicious ZIP archive containing a trojanized version of the Sumatra PDF reader. When victims attempt to open the job description PDF using this compromised software, it triggers the installation of a new backdoor called MISTPEN.
MISTPEN is a sophisticated malware that leverages a legitimate Notepad++ plugin as a disguise. It's deployed through a multi-stage process involving a launcher named BURNBOOK and a loader called TEARPAGE. Once installed, MISTPEN can download and execute additional malicious payloads from a command-and-control server, using Microsoft Graph URLs for communication.
Mandiant's analysis reveals that the UNC2970 group has been continuously improving their malware arsenal. Older versions of BURNBOOK and MISTPEN have been discovered, indicating an ongoing effort to enhance capabilities and evade detection. The researchers noted that the threat actors have added new features and implemented network connectivity checks to hinder analysis attempts. This campaign underscores the persistent and evolving nature of North Korean cyber operations targeting critical industries worldwide.
The attack, dubbed "Operation Dream Job," begins with spear-phishing emails and WhatsApp messages to build trust with potential victims. The hackers then send a malicious ZIP archive containing a trojanized version of the Sumatra PDF reader. When victims attempt to open the job description PDF using this compromised software, it triggers the installation of a new backdoor called MISTPEN.
MISTPEN is a sophisticated malware that leverages a legitimate Notepad++ plugin as a disguise. It's deployed through a multi-stage process involving a launcher named BURNBOOK and a loader called TEARPAGE. Once installed, MISTPEN can download and execute additional malicious payloads from a command-and-control server, using Microsoft Graph URLs for communication.
Mandiant's analysis reveals that the UNC2970 group has been continuously improving their malware arsenal. Older versions of BURNBOOK and MISTPEN have been discovered, indicating an ongoing effort to enhance capabilities and evade detection. The researchers noted that the threat actors have added new features and implemented network connectivity checks to hinder analysis attempts. This campaign underscores the persistent and evolving nature of North Korean cyber operations targeting critical industries worldwide.