UNC2970 [1] [2] [3] [4] [5] [6] [8] [9], a cyber-espionage group linked to North Korea’s Reconnaissance General Bureau (RGB) and associated with the Lazarus Group, has been conducting targeted attacks on victims in the energy, aerospace [1] [3] [4] [5] [6] [7] [8] [9], and nuclear sectors using job-themed phishing lures [2] [7].
Description
UNC2970 [1] [2] [3] [4] [5] [6] [8] [9], also known as the Lazarus Group, has been using job-themed phishing emails to target victims in critical infrastructure sectors in the US. The group poses as recruiters for prominent companies and sends malicious ZIP files disguised as job descriptions to deliver the MISTPEN backdoor, a trojanized version of SumatraPDF and Notepad++ plugin [9]. UNC2970 utilizes a C/C++ launcher called BURNBOOK to decrypt and execute the encrypted payload from a PDF lure using the ChaCha20 cipher [5]. The backdoor communicates with Microsoft Graph URLs [1] [5], downloads and executes PE files [1] [2] [5] [7] [9], and uses AES encryption for stealth and persistence [5]. The group also employs a loader named TEARPAGE to decrypt the MISTPEN payload [4]. UNC2970 targets government, defense [3] [9], telecommunications [9], and financial institutions worldwide [9], continuously improving its malware over time and focusing on senior-level employees in critical sectors across multiple countries.
Conclusion
Organizations in high-risk industries should implement security protocols such as phishing training [6], continuous monitoring [6], and robust endpoint protection to mitigate the threat posed by UNC2970. With a history of targeting critical infrastructure sectors and continuously evolving its malware, UNC2970 poses a significant risk to sensitive data and strategic intelligence. It is crucial for organizations to prioritize cybersecurity measures to defend against state-sponsored cyber threats and safeguard their systems from espionage activities [3].
References
[1] https://gbhackers.com/unc2970-hackers-job-pdf-attack/
[2] https://blog.netmanageit.com/an-offer-you-can-refuse-backdoor-deployment-using-trojanized-pdf-reader/
[3] https://www.flickr.com/photos/201461153@N04/54004235409/
[4] https://cybersecuritynews.com/hackers-targeting-job-seekers/
[5] https://cyberpress.org/unc2970-hackers-target-job-seekers/
[6] https://cybersecsentinel.com/unc2970-launches-mistpen-against-critical-infrastructure/
[7] https://vulners.com/thn/THN:1C5030C32264D9E6F4F992E0247A654D
[8] https://cybermaterial.com/north-korean-hackers-debuts-mistpen-malware/
[9] https://thehackernews.com/2024/09/north-korean-hackers-target-energy-and.html