UNC2970 Launches MISTPEN Against Critical Infrastructure

UNC2970 Launches MISTPEN Against Critical Infrastructure

Threat Details and Score

Threat Group: UNC2970 (North Korea-linked)
Threat Type: Cyber-Espionage Malware (Backdoor)
Exploited Vulnerabilities: None exploited, uses modified open-source software
Malware Used: MISTPEN, BURNBOOK, TEARPAGE
Threat Score: High (8.3/10)
Last Observation: September 18, 2024 (Mandiant)

Overview:

The UNC2970 threat group, associated with North Korea, has been observed delivering MISTPEN malware via spear-phishing attacks. This campaign targets employees in the aerospace and energy sectors, focusing on those in senior-level positions to steal sensitive information. The attack is initiated through fake job recruitment emails or WhatsApp messages, which contain a trojanized PDF reader bundled with a seemingly legitimate job description PDF.

Once the malicious PDF is opened, the SumatraPDF viewer is exploited to deploy MISTPEN, a backdoor that allows attackers to remotely control infected systems, download additional payloads, and exfiltrate sensitive data. The malware uses sophisticated techniques to evade detection and maintain persistence, including creating scheduled tasks and hiding its files in common directories like %APPDATA%.


Key Details:

  • Targeted Industries: Aerospace, energy, and critical infrastructure sectors
  • Phishing Techniques: Fake job offers through spear-phishing emails and WhatsApp messages
  • Execution Method: Weaponized SumatraPDF viewer delivers MISTPEN via the BURNBOOK launcher and TEARPAGE loader
  • Malware Capabilities: Remote command execution, data exfiltration, file downloading, and persistence

Attack Vectors:

  • Initial Access: Spear-phishing emails or WhatsApp messages with a ZIP file containing a malicious PDF and a trojanized PDF viewer (SumatraPDF)
  • Execution: Upon opening the PDF with the provided viewer, MISTPEN is deployed via the TEARPAGE loader and BURNBOOK launcher
  • Persistence: The malware creates scheduled tasks to execute daily, ensuring it can maintain control over the compromised system

Indicators of Compromise (IoCs):

File Hashes (MD5):

Copy code28a75771ebdb96d9b49c9369918ca581
57e8a7ef21e7586d008d4116d70062a6
f3baee9c48a2f744a16af30220de5066
006cbff5d248ab4a1d756bce989830b9
0b77dcee18660bdccaf67550d2e00b00
b707f8e3be12694b4470255e2ee58c81
cd6dbf51da042c34c6e7ff7b1641837d
eca8eb8871c7d8f0c6b9c3ce581416ed

URLs:

bashCopy codehxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92
heropersonas[.]com
hxxps://dstvdtt.co[.]za/wp-content/plugins/social-pug/assets/lib.php
hxxps://cmasedu[.]com/wp-content/plugins/kirki/inc/script.php
hxxps://bmtpakistan[.]com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php
hxxps://verisoftsystems[.]com/wp-content/plugins/optinmonster/views/upgrade-link-style.php
hxxps://www.clinicabaru[.]co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php


Mitigation and Prevention:

  • User Awareness: Train employees, especially those in high-risk industries, to identify phishing attempts and avoid opening unsolicited job-related files
  • File Monitoring: Continuously monitor directories such as %APPDATA% for unexpected changes or suspicious files
  • Endpoint Detection and Response (EDR): Deploy EDR tools that monitor for suspicious behavior, such as unauthorized scheduled tasks or execution of malicious binaries like TEARPAGE or MISTPEN
  • Software Integrity Checks: Ensure that commonly used open-source software like SumatraPDF and Notepad++ is regularly updated and verified for integrity to prevent trojanized versions from being deployed

Conclusion:

The MISTPEN malware campaign, deployed by UNC2970, represents a sophisticated threat that leverages social engineering and trojanized software to infiltrate high-profile sectors such as aerospace and energy. By employing spear-phishing tactics and advanced backdoors, the attackers can stealthily gain access to sensitive data while maintaining a persistent foothold in the target environment. Organizations in these sectors must implement heightened security protocols, including phishing training, continuous monitoring, and robust endpoint protection, to mitigate this threat.


Podcast Discussion

 

audio-thumbnail
UNC2970 Launches MISTPEN Against Critical Infrastructure
0:00
/583.64

Sources:

  1. SecurityWeek - North Korean Hackers Lure Critical Infrastructure Employees with Fake Jobs
  2. The Hacker News - North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware
  3. CyberMaterial - North Korean Hackers Debut MISTPEN Malware
  4. Google Cloud Threat Intelligence - UNC2970's Use of Trojanized PDF Reader for Cyber Espionage