by Getty Images
Threat actors linked to the North Korean government are targeting security researchers in a hacking campaign that uses new techniques and malware in hopes of gaining a foothold in the companies the targets work for, researchers said.
Researchers from security firm Mandiant said Thursday they first spotted the campaign last June while monitoring a phishing campaign targeting a US-based client in the technology industry. Hackers in this campaign attempted to infect targets with three new malware families, named by Mandiant as Touchmove, Sideshow and Touchshift. The hackers in these attacks also demonstrated new capabilities to defeat endpoint detection tools while operating within the targets’ cloud environments.
“Mandiant suspects that UNC2970 specifically targeted security researchers at this enterprise,” the Mandiant researchers wrote.
Shortly after the campaign was discovered, Mandiant responded to multiple hacks at US and European media organizations by UNC2970, Mandiant’s name for the North Korean threat actor. UNC2970 used spearphishing with a recruitment theme in an attempt to lure targets and trick them into installing the new malware.
Traditionally, UNC2970 targets organizations with spearphishing emails that have job recruitment issues. More recently, the group has turned to using fake LinkedIn accounts belonging to supposed recruiting partners. Accounts are carefully created to impersonate the identities of legitimate individuals to deceive targets and increase their chances of success. Ultimately, the threat actor tries to transfer the conversations to WhatsApp and, from there, use either WhatsApp or email to deliver a Plankwalk call Mandiant backdoor or other malware families.
Plankwalk or the other malware used is primarily delivered via macros embedded in Microsoft Word documents. When the documents are opened and the macros are allowed to run, the target machine downloads and executes a malicious payload from a command and control server. One of the documents used looked like this:
Mandiant
Attackers’ command and control servers are primarily compromised WordPress sites, another technique UNC2970 is known for. The infection process involves sending the target an archive file that, among other things, contains a malicious version of the TightVNC remote desktop application. In the post, Mandiant researchers further described the process:
The ZIP file delivered by UNC2970 contained what the victim believed to be a skills assessment test for a job application. In fact, the ZIP contained an ISO file, which included a trojanized version of TightVNC that Mandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application, which, along with the other files, were appropriately named after the company the victim planned to perform the assessment for.
In addition to functioning as a legitimate TightVNC viewer, LIDSHIFT contained multiple hidden features. The first was that when executed by the user, the malware would send a beacon back to its C2 hardcode. the only interaction required from the user was to launch the program. This lack of interaction differs from what MSTIC noted in its recent blog post. The initial C2 beacon from LIDSHIFT contains the initial username and hostname of the victim.
LIDSHIFT’s second capability is to reflexively inject an encrypted DLL into memory. The injected DLL is a trojanized Notepad++ plugin that acts as a downloader, which Mandiant tracks as LIDSHOT. LIDSHOT is injected once the victim opens the drop-down menu inside the TightVNC Viewer application. LIDSHOT has two main functions: system enumeration and downloading and executing shellcode from C2.
The attack continues by installing the Plankwalk backdoor, which can then install a wide range of additional tools, including the Microsoft endpoint InTune. InTune can be used to deliver configurations to endpoints registered with an organization’s Azure Active Directory service. UNC2970 appears to use the legitimate application to bypass endpoint protections.
“The detected malware tools highlight the continued development of malware and the development of new tools by UNC2970,” Mandiant researchers wrote. “Although the group has previously targeted the defense, media and technology industries, the targeting of security researchers suggests a change in strategy or an expansion of its activities.”
While targeting security researchers may be new to UNC2970, other North Korean threat actors have engaged in the activity since at least 2021.
Targets can reduce the chances of infection in these campaigns by using:
- Multi-factor authentication
- Cloud-only accounts to access Azure Active Directory
- A separate account for emailing, web browsing, and similar activities, and a dedicated administrator account for sensitive management functions.
Organizations should also consider other protections, including blocking macros and using privileged identity management, conditional access policies, and security restrictions in Azure AD. Requiring multiple administrators to approve InTune transactions is also recommended. The full list of mitigation measures is included in the Mandiant linked post above.
