Technology

North Korean Hackers Use MISTPEN to Target Industries

Lilu Anderson
By Lilu Anderson
North Korean Hackers Use MISTPEN to Target Industries | FinOracle
Photo: Finoracle.net

North Korean Hackers and Their Evolving Tactics

North Korean cyber-attackers have developed a new tool called MISTPEN, targeting the energy and aerospace industries. These hackers, often linked with groups known as Lazarus Group or Diamond Sleet, have devised sophisticated methods to breach sensitive sectors under the guise of job opportunities.

Contents
North Korean Hackers and Their Evolving TacticsWho is Behind These Attacks?Method of Attack: Job-Themed PhishingThe Technical Trick: MISTPEN and BURNBOOKMISTPEN's CapabilitiesContinuous Evolution

Who is Behind These Attacks?

The group responsible for these attacks is tracked by Mandiant as UNC2970. This cluster shares similarities with the group TEMP.Hermit. Historically, such groups have been targeting crucial sectors like government and finance globally since 2013, helping to further North Korean strategic interests. They are affiliated with the Reconnaissance General Bureau (RGB).

Method of Attack: Job-Themed Phishing

Phishing is a technique where attackers pretend to be trustworthy entities to steal sensitive information. In this case, UNC2970 uses job-themed phishing lures, where potential victims receive emails about job openings. These emails are crafted to look like they come from legitimate recruiters. The target? Usually senior-level employees with access to confidential information.

The process, called Operation Dream Job, involves sending malicious ZIP files disguised as job descriptions through emails and even apps like WhatsApp. To read these files, victims are instructed to use a special PDF reader, which is part of the trap.

The Technical Trick: MISTPEN and BURNBOOK

The attackers use an older version of Sumatra PDF (a legitimate PDF reader) within their ZIP files. This version has been altered to launch a malicious program. This isn’t a problem with Sumatra PDF itself but rather a clever misuse. Once opened, a program called BURNBOOK activates, which is C/C++ launcher that installs the MISTPEN malware.

BURNBOOK drops a file called wtsapi32.dll, known as TEARPAGE, which then executes MISTPEN after a computer reboot. MISTPEN is a modified version of a common plugin for Notepad++ and acts as a backdoor to further access.

MISTPEN's Capabilities

Once operational, MISTPEN communicates with its controllers over the internet, downloading additional malicious programs. It's lightweight and written in C, designed to avoid detection. The operators use compromised websites, notably WordPress, to manage these communications.

Continuous Evolution

Mandiant has observed that the malware, including BURNBOOK and MISTPEN, is continuously updated. These updates add new features, making it harder to detect and analyze. As defenders find methods to counter these attacks, the hackers adapt, ensuring their malicious tools remain one step ahead.

Overall, this development highlights the ongoing battle in cybersecurity, where emerging threats require constant vigilance and adaptation from those defending sensitive information.

TAGGED:
Share This Article
Lilu Anderson
ByLilu Anderson
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.

Related Stories

Uncover the stories that related to the post!