North Korean Hackers and Their Evolving Tactics
North Korean cyber-attackers have developed a new tool called MISTPEN, targeting the energy and aerospace industries. These hackers, often linked with groups known as Lazarus Group or Diamond Sleet, have devised sophisticated methods to breach sensitive sectors under the guise of job opportunities.
Who is Behind These Attacks?
The group responsible for these attacks is tracked by Mandiant as UNC2970. This cluster shares similarities with the group TEMP.Hermit. Historically, such groups have been targeting crucial sectors like government and finance globally since 2013, helping to further North Korean strategic interests. They are affiliated with the Reconnaissance General Bureau (RGB).
Method of Attack: Job-Themed Phishing
Phishing is a technique where attackers pretend to be trustworthy entities to steal sensitive information. In this case, UNC2970 uses job-themed phishing lures, where potential victims receive emails about job openings. These emails are crafted to look like they come from legitimate recruiters. The target? Usually senior-level employees with access to confidential information.
The process, called Operation Dream Job, involves sending malicious ZIP files disguised as job descriptions through emails and even apps like WhatsApp. To read these files, victims are instructed to use a special PDF reader, which is part of the trap.
The Technical Trick: MISTPEN and BURNBOOK
The attackers use an older version of Sumatra PDF (a legitimate PDF reader) within their ZIP files. This version has been altered to launch a malicious program. This isn’t a problem with Sumatra PDF itself but rather a clever misuse. Once opened, a program called BURNBOOK activates, which is C/C++ launcher that installs the MISTPEN malware.
BURNBOOK drops a file called wtsapi32.dll, known as TEARPAGE, which then executes MISTPEN after a computer reboot. MISTPEN is a modified version of a common plugin for Notepad++ and acts as a backdoor to further access.
MISTPEN's Capabilities
Once operational, MISTPEN communicates with its controllers over the internet, downloading additional malicious programs. It's lightweight and written in C, designed to avoid detection. The operators use compromised websites, notably WordPress, to manage these communications.
Continuous Evolution
Mandiant has observed that the malware, including BURNBOOK and MISTPEN, is continuously updated. These updates add new features, making it harder to detect and analyze. As defenders find methods to counter these attacks, the hackers adapt, ensuring their malicious tools remain one step ahead.
Overall, this development highlights the ongoing battle in cybersecurity, where emerging threats require constant vigilance and adaptation from those defending sensitive information.
