A cyberespionage group with ties to North Korea has been observed using occupation-themed phishing scams to target potential victims in the energy and aerospace industries, infecting them with a previously undocumented backdoor called MISTPEN.
This cluster of activity is being tracked by Google’s Mandiant. UN C2970The company said the group overlaps with a threat group known as TEMP.Hermit, also commonly referred to as the Lazarus Group or Diamond Sleet (formerly known as Zinc).
This threat actor has a history of targeting government, defense, communications, and financial institutions around the world to collect strategic information to advance North Korean interests since at least 2013. This actor is affiliated with the Reconnaissance General Bureau (RGB).
The threat intelligence firm said it has observed UNC2970 targeting various organizations in the United States, Britain, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.
“UNC2970 poses as recruiters from well-known companies and targets victims with disguised job postings,” it said in the new analysis, adding that it copies and adapts job descriptions to fit the targets’ profiles.
“Furthermore, the job descriptions selected target employees at senior management levels, suggesting that the threat actors are aiming to access sensitive or confidential information that is typically restricted to employees at senior management levels.”
Also known as “Operation Dream Job,” this series of attacks involves communicating with victims via email and WhatsApp using spear phishing bait to build trust before sending them a malicious ZIP archive file disguised as a job advertisement.
Interestingly, the instruction PDF file can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF, which is included within the archive that distributes MISTPEN via a launcher called BURNBOOK.
It is important to note that this does not represent a supply chain attack, nor is there a software vulnerability – rather, the attack is known to use an older version of Sumatra PDF that has been reused to jumpstart the infection chain.
This is a proven technique that hacking groups have employed since 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open source software in these attacks, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers.
It is believed that the threat actors likely instruct victims to open the PDF file using the included weaponized PDF viewer program, which triggers the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.
“This file is tracked as TEARPAGE and is a dropper for an embedded DLL, ‘wtsapi32.dll’, which is used to execute the MISTPEN backdoor after a system reboot,” Mandiant researchers said. “MISTPEN is a Trojanized version of the legitimate Notepad++ plugin, binhex.dll, which contains a backdoor.”
TEARPAGE, a loader embedded in BURNBOOK, is responsible for decrypting and launching MISTPEN. MISTPEN is a lightweight implant written in C that is instrumented to download and execute a Portable Executable (PE) file obtained from a command and control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs:
Mandiant also said it found older BURNBOOK and MISTPEN artifacts, suggesting they were repeatedly improved to add features and fly under the radar. Early MISTPEN samples were also found using compromised WordPress websites as C2 domains.
“Threat actors have improved their malware over time by implementing new functionality and adding network connectivity checks that hinder analysis of the samples,” the researchers said.
