Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
North Korean hackers have turned recruiting into a cyber weapon against the United States.
In June 2024, Mandiant Managed Defense specialists discovered the UNC2970 cyberespionage group, which is associated with North Korea. Later that month, Mandiant experts recorded phishing attacks in which hackers posed as an energy company and an organization in the aerospace industry.
UNC2970 uses false vacancies, introducing themselves as recruiters of well-known companies. For each goal, the attackers adapt the job descriptions to the victim's profile. Contact with the victim takes place via email or WhatsApp. Next, the cybercriminals send an archive supposedly containing a job description in PDF format. However, opening the PDF file requires the use of a fake version of the SumatraPDF program, which installs malware - the MISTPEN backdoor, which provides control over the victim's system.
Mandiant experts found out that UNC2970 modified the code of the old version of SumatraPDF. At the same time, SumatraPDF itself was not compromised. As a result of the investigation, Mandiant notified the developers of the program about this awareness-raising campaign.
The Mistpen malware is a modified plugin (binhex.dll) for the Notepad++ text editor, which complicates the analysis. According to the researchers, over time, additional features have been added to the new version of the backdoor, including network connectivity checking, which makes it difficult for cybersecurity specialists to do their job.
The UNC2970 group targets workers associated with U.S. critical infrastructure. The main target of attackers is managers and executives who have access to confidential information. To do this, criminals modify the original job descriptions, making minor changes to the qualification and work experience requirements to make them more suitable for the chosen victim.
Mandiant experts note that such attacks by the UNC2970 group are aimed at gaining access to strategic information, and their activities overlap with another North Korean group, TEMP. Hermit, which has been active since 2013.
Earlier in 2023, specialists from Mandiant claimed that North Korean hackers are targeting cybersecurity researchers and media organizations in the United States and Europe with fake job offers that lead to the deployment of three new malware families.
Source
In June 2024, Mandiant Managed Defense specialists discovered the UNC2970 cyberespionage group, which is associated with North Korea. Later that month, Mandiant experts recorded phishing attacks in which hackers posed as an energy company and an organization in the aerospace industry.
UNC2970 uses false vacancies, introducing themselves as recruiters of well-known companies. For each goal, the attackers adapt the job descriptions to the victim's profile. Contact with the victim takes place via email or WhatsApp. Next, the cybercriminals send an archive supposedly containing a job description in PDF format. However, opening the PDF file requires the use of a fake version of the SumatraPDF program, which installs malware - the MISTPEN backdoor, which provides control over the victim's system.
Mandiant experts found out that UNC2970 modified the code of the old version of SumatraPDF. At the same time, SumatraPDF itself was not compromised. As a result of the investigation, Mandiant notified the developers of the program about this awareness-raising campaign.
The Mistpen malware is a modified plugin (binhex.dll) for the Notepad++ text editor, which complicates the analysis. According to the researchers, over time, additional features have been added to the new version of the backdoor, including network connectivity checking, which makes it difficult for cybersecurity specialists to do their job.
The UNC2970 group targets workers associated with U.S. critical infrastructure. The main target of attackers is managers and executives who have access to confidential information. To do this, criminals modify the original job descriptions, making minor changes to the qualification and work experience requirements to make them more suitable for the chosen victim.
Mandiant experts note that such attacks by the UNC2970 group are aimed at gaining access to strategic information, and their activities overlap with another North Korean group, TEMP. Hermit, which has been active since 2013.
Earlier in 2023, specialists from Mandiant claimed that North Korean hackers are targeting cybersecurity researchers and media organizations in the United States and Europe with fake job offers that lead to the deployment of three new malware families.
Source
