North Korean hackers target security researchers with new backdoor attack

Getty Images

Threats linked to the North Korean government are targeting security researchers in a hacking campaign that uses new technologies and malware to gain a foothold inside the companies they target, researchers said. Let’s work

Researchers at security firm Mandiant said Thursday they first spotted the campaign last June while tracking a phishing campaign targeting a US-based customer in the technology industry. In this campaign, hackers attempted to infect targets with three new malware families, dubbed by Mandiant as TouchMove, Sideshow and TouchShift. The hackers in these attacks also demonstrated new capabilities to counter endpoint detection tools when operating inside targets’ cloud environments.

“Mandiant suspect UNC2970 specifically targets security researchers in this operation,” the Mandiant researchers wrote.

Shortly after discovering the campaign, Mandiant responded to a number of intrusions on US and European media organizations by UNC2970, Mandiant’s name for a North Korean threat actor. UNC2970 used spearphishing with a job recruitment theme in an attempt to lure targets and trick them into installing new malware.

Traditionally, UNC2970 has targeted organizations with targeted emails that have job recruitment topics. More recently, the group has shifted to using fake LinkedIn accounts that belong to purported recruiters. The accounts are carefully crafted to mimic the identities of legitimate people in order to defraud the targets and increase their chances of success. Eventually, the threat actor tries to transfer the conversation to WhatsApp and, from there, either call backdoor Plankwalk, or other malware families using WhatsApp or email.

Plankwalk or other malware used are primarily distributed via macros embedded in Microsoft Word documents. When the documents are opened and the macros are allowed to run, the target’s machine downloads and executes a malicious payload from the command and control server. One of the documents used looked like this:

See also  From Frontline to the Oscars red carpet: Ukrainian producer swaps body armor for black tie ENT and Art News


The attackers’ command and control servers are primarily compromised WordPress sites, which is another technique UNC2970 is known for. The infection process involves sending an archive file to the target, which contains, among other things, a malicious version of the TightVNC Remote Desktop application. In the post, the Mandiant researchers described the process ahead:


The ZIP file delivered by UNC2970 contained what the victim thought was a skills assessment test for a job application. In fact, the ZIP contained an ISO file that contained a trojanized version of TightVNC that Mandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application, which, along with other files, was appropriately named after the company the victim planned to conduct an assessment for.

Besides functioning as a valid TightVNC viewer, LIDSHIFT has several hidden features. The first was that upon execution by the user, the malware would send a beacon back to its hardcoded C2; The only interaction required on the part of the user was the launching of the program. This lack of conversation is in stark contrast to what MSTIC has observed in its recent blog post. LIDSHIFT’s initial C2 beacon contains the initial username and hostname of the victim.

Another capability of LIDSHIFT is to inject an encrypted DLL into memory reflectively. The injected DLL is a trojanized Notepad++ plugin that acts as a downloader, which Mandiant tracks as LIDSHOT. LIDSHOT is injected as soon as the victim opens the drop down inside the TightVNC viewer application. LIDSHOT has two primary functions: system enumeration and downloading and executing shellcode from C2.

See also  2022 FIFA World Cup Qatar: Schedule, Date and Time

The attack went on to install the Planckwalk backdoor, which could install a wide range of additional tools, including the Microsoft endpoint application Intune. InTune can be used to provide configuration to endpoints enrolled in an organization’s Azure Active Directory service. It looks like a legitimate application is using the UNC2970 to bypass endpoint protection.

“The detected malware tools highlight ongoing malware evolution and deployment of new tools by UNC2970,” the Mandiant researchers wrote. “Although the group has previously targeted the defense, media and technology industries, the targeting of security researchers suggests a change in strategy or an expansion of its operations.”

While security researchers’ targeting of UNC2970 may be new, other North Korean threat actors have engaged in activity since at least 2021.

Targets can reduce the chance of getting infected in these campaigns by using the following:

  • multi-factor authentication
  • Cloud-only accounts to access Azure Active Directory
  • A separate account for sending email, web browsing, and similar activities, and a dedicated administrator account for sensitive administrative tasks.

Organizations should also consider other security measures, including blocking macros and using privileged identity management, conditional access policies, and security restrictions in Azure AD. Requiring multiple administrators to approve InTune transactions is also recommended. A full list of mitigations is included in the Mandiant post linked above.

#North #Korean #hackers #target #security #researchers #backdoor #attack