Threat actors linked to the North Korean government have been targeting security researchers in a hacking campaign that uses new malware techniques and software in hopes of gaining a foothold within the companies the targets work for, researchers said.
Researchers from the security company Mandiant He said on Thursday They first discovered the campaign last June while tracking a phishing campaign targeting a US-based customer in the technology industry. Hackers in this campaign attempted to infect targets with three new families of malware, which Mandiant called Touchmove, Sideshow, and Touchshift. The hackers in these attacks also demonstrated new capabilities to counteract endpoint discovery tools while operating within the targets’ cloud environments.
“The UNC2970 Mandiant suspects specifically targeted security researchers in this operation,” the Mandiant researchers wrote.
Shortly after the discovery of the campaign, Mandiant responded to numerous intrusions on American and European media organizations by UNC2970, Mandiant’s name for the North Korean threat actor. UNC2970 used a spear with a recruiting thread in an attempt to lure targets and trick them into installing new malware.
Traditionally, UNC2970 has targeted organizations with emails containing job recruitment topics. Recently, the group has turned to using fake LinkedIn accounts belonging to alleged recruiters. The accounts are carefully set up to imitate the identities of legitimate people in order to deceive targets and enhance their chances of success. Eventually, the threat actor attempts to divert conversations to WhatsApp, and from there, use either WhatsApp or email to deliver Mandiant’s stealth PlankWalk calls, or other malware families.
Plankwalk or other malware used is primarily delivered through macros embedded in Microsoft Word documents. When documents are opened and macros are allowed to run, the target machine downloads and executes a malicious payload from the command and control server. One of the documents used looked like this:
The attacker’s command and control servers are mainly hacked WordPress sites, another known technology of UNC2970. The infection process involves sending an archive file to the target that contains, among other things, a malicious version of the TightVNC remote desktop application. In the post, the Mandiant researchers describe the process:
The ZIP file delivered by UNC2970 contained what the victim believed was a skills assessment test for a job application. In fact, the ZIP file contained an ISO file, which included a Trojan copy of TightVNC that Mandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application which, along with other files, was appropriately named for the company the victim planned to perform the assessment for.
In addition to serving as a legitimate TightVNC viewer, LIDSHIFT contained several hidden features. The first is that when executed by the user, the malware will send a beacon back to the encrypted C2; The only interaction required from the user was to launch the program. This lack of interactivity is different from what MSTIC noted in a recent blog post. The initial C2 signal of LIDSHIFT contains the initial username and hostname of the victim.
LIDSHIFT’s second ability is to inject a reflexively encoded DLL into memory. The injected DLL is a Trojan Notepad++ plug-in that acts as a HOME, which Mandiant tracks as LIDSHOT. LIDSHOT is injected as soon as the victim opens the drop-down menu within the TightVNC Viewer application. LIDSHOT has two basic functions: enumeration of the system and downloading and executing shellcode from C2.
The attack proceeds to install the Plankwalk backdoor, which can then install a wide range of additional tools, including the Microsoft endpoint InTune app. InTune can be used in Submit configs To endpoints registered in an organization’s Azure Active Directory service. UNC2970 appears to be using the legitimate implementation to bypass endpoint protection.
“The identified malware tools highlight the continued development of malware and the deployment of new tools by UNC2970,” Mandiant researchers wrote. “Although the group has previously targeted the defense, media and technology industries, the targeting of security researchers indicates a shift in strategy or an expansion of its operations.”
While targeting security researchers may be new to UNC2970, other North Korean threat actors have engaged in this activity. Since at least 2021.
Targets can reduce the chances of infection in these campaigns by using:
- Multi-factor authentication
- Cloud-only accounts to access Azure Active Directory
- A separate account for emailing, web browsing, and similar activities, and an administrator account designated for sensitive administrative functions.
Organizations should also consider other protections, including blocking macros, using privileged identity management, conditional access policies, and security restrictions in Azure AD. It is also recommended that you require multiple administrators to approve InTune transactions. The full list of mitigations is included in the Mandiant post linked above.