North Korean Cybercriminals Target Energy and Aerospace Sectors with Fresh MISTPEN Malware
A cyber-espionage group linked to North Korea has been utilizing phishing tactics related to job opportunities to attack potential victims in the energy and aerospace industries and implant them with a previously unknown backdoor known as MISTPEN.
Referred to as UNC2970 by Google-owned Mandiant, the group’s activities align with a threat actor named TEMP.Hermit, also known as Lazarus Group or Diamond Sleet (previously zinc).
This group has a history of targeting governmental, defense, telecommunication, and financial organizations globally since at least 2013 in order to gather crucial intelligence that advances North Korean interests. It is associated with the Reconnaissance General Bureau (RGB).
Mandiant reported observing UNC2970 targeting various entities in the USA, UK, Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.
“UNC2970 attracts victims by posing as job openings at well-known companies,” as per a new analysis, noting that they modify job descriptions based on the profiles of their targets.
“Additionally, the job descriptions selected aim at senior-level employees, indicating that the threat actor is looking to gain access to restricted sensitive and confidential information usually accessible only to high-ranking staff.”
The attack tactics, known as Operation Dream Job, involve utilizing spear-phishing approaches to engage targets via email and WhatsApp, working towards building trust before sending a malicious ZIP file disguised as a job description.
In a clever move, the PDF file can only be opened with a manipulated version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN via a launching mechanism called BURNBOOK.
It’s important to mention that this does not indicate a supply chain attack or a vulnerability in the software but rather reveals the use of an older Sumatra PDF version repurposed to initiate the infection chain.
This method has been used by the hacking group since as early as 2022, with both Mandiant and Microsoft identifying the deployment of various open-source software like PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer in these assaults.
The attackers likely instruct victims to open the PDF file using the included weaponized PDF viewer program to initiate the execution of a malicious DLL file, a C/C++ launching tool called BURNBOOK.
“This file acts as a dropper for an embedded DLL, ‘wtsapi32.dll,’ identified as TEARPAGE, which is utilized to execute the MISTPEN backdoor following a system reboot,” stated Mandiant researchers. “MISTPEN is a tampered version of a valid Notepad++ plugin, binhex.dll, containing a backdoor.”
TEARPAGE, an embedded loader in BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant coded in C, MISTPEN is capable of downloading and running Portable Executable (PE) files fetched from a command-and-control (C2) server. It communicates via HTTP with specific Microsoft Graph URLs.
Mandiant also disclosed the existence of earlier BURNBOOK and MISTPEN artifacts, indicating iterative enhancements to introduce more functionalities and enable them to avoid detection. Initial MISTPEN samples were found to be utilizing compromised WordPress websites as C2 domains.
“Over time, the threat actor has refined their malware by incorporating new features and introducing a network connectivity check to impede sample analysis,” noted the researchers.
About Author
