North Korean UNC2970 Hackers Expands Operations with New Malware Families

1 year ago AndyC

Mar
10,
2023Ravie
LakshmananCyber
Attack
/
Malware

A
North
Korean
espionage
group
tracked
as

UNC2970
has
been
observed
employing
previously
undocumented
malware
families
as
part
of
a
spear-phishing
campaign
targeting
U.S.

North Korean UNC2970 Hackers Expands Operations with New Malware Families



Mar
10,
2023Ravie
LakshmananCyber
Attack
/
Malware


North Korean UNC2970 Hackers Expands Operations with New Malware Families

A
North
Korean
espionage
group
tracked
as

UNC2970
has
been
observed
employing
previously
undocumented
malware
families
as
part
of
a
spear-phishing
campaign
targeting
U.S.
and
European
media
and
technology
organizations
since
June
2022.

Google-owned
Mandiant
said
the
threat
cluster
shares
“multiple
overlaps”
with
a

long-running

operation

dubbed
Dream
Job
that
employs
job
recruitment
lures
in
email
messages
to
trigger
the
infection
sequence.

UNC2970
is
the
new
moniker
designated
by
the
threat
intelligence
firm
to
a
set
of
North
Korean
cyber
activity
that
maps
to
UNC577
(aka

Temp.Hermit),
and
which
also
comprises
another
nascent
threat
cluster
tracked
as
UNC4034.

The
UNC4034
activity,
as

documented
by
Mandiant
in
September
2022,
entailed
the
use
of
WhatsApp
to
socially
engineer
targets
into
downloading
a

backdoor
called
AIRDRY.V2
under
the
pretext
of
sharing
a
skills
assessment
test.

“UNC2970
has
a
concerted
effort
towards
obfuscation
and
employs
multiple
methods
to
do
this
throughout
the
entire
chain
of
delivery
and
execution,”
Mandiant
researchers
said
in
a

detailed

two-part
analysis,
adding
the
effort
specifically
targeted
security
researchers.

Temp.Hermit
is
one
of
the
primary
hacking
units
associated
with
North
Korea’s
Reconnaissance
General
Bureau
(RGB)
alongside

Andariel
and

APT38
(aka
BlueNoroff).
All
three
actor
sets
are

collectively
referred
to
as
the

Lazarus
Group
(aka
Hidden
Cobra
or
Zinc).

“TEMP.Hermit
is
an
actor
that
has
been
around
since
at
least
2013,”
Mandiant

noted
in
a
March
2022
report.
“Their
operations
since
that
time
are
representative
of
Pyongyang’s
efforts
to
collect
strategic
intelligence
to
benefit
North
Korean
interests.”

The
latest
set
of
UNC2970
attacks
are
characterized
by
initially
approaching
users
directly
on
LinkedIn
using
“well
designed
and
professionally
curated”
fake
accounts
posing
as
recruiters.

The
conversation
is
subsequently
shifted
to
WhatsApp,
after
which
a
phishing
payload
is
delivered
to
the
target
under
the
guise
of
a
job
description.


In
some
instances,
these
attack
chains
have
been
observed
to
deploy
trojanized
versions
of
TightVNC
(named
LIDSHIFT),
which
is
engineered
to
load
a
next-stage
payload
labeled
as
LIDSHOT
that’s
capable
of
downloading
and
executing
shellcode
from
a
remote
server.

Establishing
a
foothold
within
compromised
environments
is
achieved
by
means
of
a
C++-based
backdoor
known
as
PLANKWALK
that
then
paves
the
way
for
the
distribution
of
additional
tooling
such
as


  • TOUCHSHIFT

    A
    malware
    dropper
    that
    loads
    follow-on
    malware
    ranging
    from
    keyloggers
    and
    screenshot
    utilities
    to
    full-featured
    backdoors

  • TOUCHSHOT

    A
    software
    that’s
    configured
    to
    take
    a
    screenshot
    every
    three
    seconds

  • TOUCHKEY

    A
    keylogger
    that
    captures
    keystrokes
    and
    clipboard
    data

  • HOOKSHOT

    A
    tunneling
    tool
    that
    connects
    over
    TCP
    to
    communicate
    with
    the
    command-and-control
    (C2)
    server

  • TOUCHMOVE

    A
    loader
    that’s
    designed
    to
    decrypt
    and
    execute
    a
    payload
    on
    the
    machine

  • SIDESHOW

    A
    C/C++
    backdoor
    that
    runs
    arbitrary
    commands
    and
    communicates
    via
    HTTP
    POST
    requests
    with
    its
    C2
    server

UNC2970
is
also
said
to
have
leveraged
Microsoft
Intune,
an
endpoint
management
solution,
to
drop
a
bespoke
PowerShell
script
containing
a
Base64-encoded
payload
referred
to
as
CLOUDBURST,
a
C-based
backdoor
that
communicates
via
HTTP.


WEBINAR

Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps

Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.

RESERVE
YOUR
SEAT

In
what’s
a
continuing
use
of
the
Bring
Your
Own
Vulnerable
Driver
(BYOVD)
technique
by
North
Korea-aligned
actors,
the
intrusions
further
employ
an
in-memory-only
dropper
called
LIGHTSHIFT
that
facilitates
the
distribution
of
another
piece
of
malware
codenamed
LIGHTSHOW.

The
utility,
besides
taking
steps
to
hinder
dynamic
and
static
analysis,
drops
a
legitimate
version
of
a
driver
with
known
vulnerabilities
to
perform
read
and
write
operations
to
kernel
memory
and
ultimately
disarm
security
software
installed
on
the
infected
host.

“The
identified
malware
tools
highlight
continued
malware
development
and
deployment
of
new
tools
by
UNC2970,”
Mandiant
said.
“Although
the
group
has
previously
targeted
defense,
media,
and
technology
industries,
the
targeting
of
security
researchers
suggests
a
shift
in
strategy
or
an
expansion
of
its
operations.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks

13 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

2 days ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

2 days ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

3 days ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

3 days ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

3 days ago AndyC

You may have missed

Kaspersky boosts email security features after 77% of firms hit by cyber attacks

Kaspersky boosts email security features after 77% of firms hit by cyber attacks

1 hour ago AndyC
Multiple Brocade SANnav SAN Management SW flaws allow device compromise

Multiple Brocade SANnav SAN Management SW flaws allow device compromise

1 hour ago AndyC
Creating new opportunities with AI-driven automation

Creating new opportunities with AI-driven automation

1 hour ago AndyC
Barracuda report explores challenges in managing cyber risks

Barracuda report explores challenges in managing cyber risks

4 hours ago AndyC
Aqua Security launches SaaS cloud security platform in Australia

Aqua Security launches SaaS cloud security platform in Australia

4 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.