An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
Sept. 18, 2024, 9:03 a.m.
Tags
External References
Description
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP archive containing an encrypted PDF and modified PDF viewer. BURNBOOK decrypts and executes MISTPEN, which can download and run PE files. TEARPAGE, embedded in BURNBOOK, loads MISTPEN through DLL hijacking. The malware evolved to include network checks and new features. UNC2970 has targeted victims in multiple countries, focusing on senior-level employees in critical sectors.
Date
Published: Sept. 18, 2024, 8:47 a.m.
Created: Sept. 18, 2024, 8:47 a.m.
Modified: Sept. 18, 2024, 9:03 a.m.
Indicators
cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a
2e9f97ade5573d037c7b1286a129e5b5b2e9acc7723e5732879c5211d57249fd
1565161807718ced42e482c4ddfd5423c0249c5f110fcb5289954b19f9790ffc
www.clinicabaru.co
https://www.clinicabaru.co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php
https://verisoftsystems.com/wp-content/plugins/optinmonster/views/upgrade-link-style.php
https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php
https://cmasedu.com/wp-content/plugins/kirki/inc/script.php
https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php
verisoftsystems.com
heropersonas.com
dstvdtt.co.za
cmasedu.com
bmtpakistan.com
Attack Patterns
TEARPAGE
BURNBOOK
MISTPEN
UNC2970
T1552.001
T1132.001
T1053.005
T1218.011
T1547.001
T1071.001
T1055
T1204
T1140
T1027
T1566
T1059
Additional Informations
Aerospace
Energy
Defense
Government
Sweden
Hong Kong
Cyprus
Singapore
Australia
Netherlands
Germany
United Kingdom of Great Britain and Northern Ireland
United States of America