An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
Sept. 18, 2024, 9:03 a.m.
Description
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP archive containing an encrypted PDF and modified PDF viewer. BURNBOOK decrypts and executes MISTPEN, which can download and run PE files. TEARPAGE, embedded in BURNBOOK, loads MISTPEN through DLL hijacking. The malware evolved to include network checks and new features. UNC2970 has targeted victims in multiple countries, focusing on senior-level employees in critical sectors.
Tags
Date
- Created: Sept. 18, 2024, 8:47 a.m.
- Published: Sept. 18, 2024, 8:47 a.m.
- Modified: Sept. 18, 2024, 9:03 a.m.
Indicators
- cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a
- 2e9f97ade5573d037c7b1286a129e5b5b2e9acc7723e5732879c5211d57249fd
- 1565161807718ced42e482c4ddfd5423c0249c5f110fcb5289954b19f9790ffc
- www.clinicabaru.co
- https://www.clinicabaru.co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php
- https://verisoftsystems.com/wp-content/plugins/optinmonster/views/upgrade-link-style.php
- https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php
- https://cmasedu.com/wp-content/plugins/kirki/inc/script.php
- https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php
- verisoftsystems.com
- heropersonas.com
- dstvdtt.co.za
- cmasedu.com
- bmtpakistan.com
Attack Patterns
- TEARPAGE
- BURNBOOK
- MISTPEN
- UNC2970
- T1552.001
- T1132.001
- T1053.005
- T1218.011
- T1547.001
- T1071.001
- T1055
- T1204
- T1140
- T1027
- T1566
- T1059
Additional Informations
- Aerospace
- Energy
- Defense
- Government
- Sweden
- Hong Kong
- Cyprus
- Singapore
- Australia
- Netherlands
- Germany
- United Kingdom of Great Britain and Northern Ireland
- United States of America