North Korean UNC2970 Hackers Expands Operations with New Malware Families

March 10, 2023Rabbi LakshmananCyber ​​Attack/Malware

North Korean spy group being tracked as UNC2970 has been observed using a previously undocumented malware family as part of spear-phishing campaigns targeting media and technology organizations in the United States and Europe since June 2022.

Google-owned Mandiant said the threat cluster shares “multiple overlaps” with a long-running operation called “Dream Job.” This operation triggers an infection sequence using a job posting lure in an email message.

UNC2970 is UNC577 (aka temporary hermit), which also includes another early threat cluster tracked as UNC4034.

UNC4034 activity documented by Mandiant in September 2022 used WhatsApp to socially engineer a target into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test. bottom.

In a detailed two-part analysis, Mandiant researchers noted that “UNC2970 is a concerted effort towards obfuscation, employing multiple methods to do so throughout the delivery and execution chain. and added an effort specifically aimed at security researchers.

Temp.Hermit is one of the major hacking units associated with North Korea’s Reconnaissance General Bureau (RGB), along with Andariel and APT38 (aka BlueNoroff). All three sets of actors are collectively known as the Lazarus Group (aka Hidden Cobra or Zinc).

“TEMP.Hermit is an actor that has been around since at least 2013,” Mandiant said in a March 2022 report. “Their operations since then represent Pyongyang’s efforts to gather strategic intelligence for the benefit of North Korea.”

The latest UNC2970 attack is characterized by first approaching users directly on LinkedIn using a “well-designed and professionally curated” fake account posing as a recruiter.

The conversation is then transferred to WhatsApp, after which a phishing payload disguised as a job description is delivered to the target.

In some cases, these attack chains are trojanized versions of TightVNC designed to load a next-stage payload labeled LIDSHOT that can download and execute shellcode from remote servers. (named LIDSHIFT) has been observed to expand.

It uses a C++-based backdoor known as PLANKWALK to establish a foothold within the compromised environment and pave the way for distributing additional tools such as:

• touch shift – Malware droppers that load subsequent malware, ranging from keyloggers and screenshot utilities to full-featured backdoors
• touch shot – Software configured to take screenshots every 3 seconds
• touch key – Keylogger to capture keystrokes and clipboard data
• Hook shot – A tunneling tool that connects over TCP to communicate with a command and control (C2) server
• touch move – A loader designed to decrypt and execute payloads on your machine
• entertainment – AC/C++ backdoor that executes arbitrary commands and communicates with the C2 server via HTTP POST requests

UNC2970 is also said to have leveraged Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload called CLOUDBURST, a C-based backdoor that communicates over HTTP. increase.

In the continued use of BYOVD (Bring Your Own Vulnerable Driver) techniques by actors working with North Korea, the intrusion further launched an in-memory-only dropper called LIGHTSHIFT that facilitates the distribution of another malware codenamed LIGHTSHOW. use.

In addition to taking steps to thwart dynamic and static analysis, the utility drops legitimate versions of drivers with known vulnerabilities to perform read and write operations to kernel memory and eventually Neutralizes security software installed on hosts infected with

“The identified malware tools highlight the continued malware development and deployment of new tools by UNC2970,” said Mandiant. “While the group has previously targeted the defense, media and technology industries, its targeting of security researchers suggests a shift in strategy or expansion of its activities.”