A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families.
The attackers use social engineering to convince their targets to engage over WhatsApp, where they drop the malware payload “PlankWalk,” a C++ backdoor that helps them establish a foothold in the target’s corporate environment.
According to Mandiant, which has been tracking the particular campaign since June 2022, the observed activity overlaps with “Operation Dream Job,” attributed to the North Korean cluster known as the “Lazarus group.”
However, Mandiant observed enough differences in the employed tools, infrastructure, and TTPs (tactics, techniques, and procedures) to attribute this campaign to a separate group they track as “UNC2970.”
Furthermore, the attackers use previously unseen malware named ‘TOUCHMOVE’, ‘SIDESHOW’, and ‘TOUCHSHIFT,’ which have not been attributed to any known threat group.
Mandiant says the particular group has previously targeted tech firms, media groups, and entities in the defense industry. Its latest campaign shows it has evolved its targeting scope and adapted its capabilities.
Phishing to gain a foothold
The hackers start their attack by approaching targets over LinkedIn, posing as job recruiters. Ultimately, they shifted to WhatsApp to continue the “recruitment” process, sharing a Word document embedded with malicious macros.
Mandiant says that in some cases, these Word documents are stylized to fit job descriptions that they are promoting to targets. For example, one of the lures shared by Mandiant impersonates the New York Times, as shown below.
The Word document’s macros perform remote-template injection to fetch a trojanized version of TightVNC from compromised WordPress sites that serve as the attacker’s command and control servers.
Mandiant tracks this custom-made version of TightVNC as “LidShift.” Upon execution, it uses reflective DLL injection to load an encrypted DLL (trojanized Notepad++ plugin) into the system’s memory.
The loaded file is a malware downloader named “LidShot,” which performs system enumeration and deploys the final foothold-establishing payload on the breached device, “PlankWalk.”
Disguising as Windows files
During the post-exploitation phase, the North Korean hackers use a new, custom malware dropper named “TouchShift,” which disguises itself as a legitimate Windows binary (mscoree.dll or netplwix.dll).
TouchShift then loads another screenshot utility called “TouchShot,” a keylogger named “TouchKey,” a tunneller named “HookShot,” a new loader named “TouchMove,” and a new backdoor named “SideShow.”
The most interesting of the bunch is the new custom backdoor SideShow, which supports a total of 49 commands. These commands enable an attacker to perform arbitrary code execution on the compromised device, modify the registry, manipulate the firewall settings, add new scheduled tasks, and execute additional payloads.
In some cases where the targeted organizations didn’t use a VPN, the threat actors were observed abusing Microsoft Intune to deploy the “CloudBurst” malware using PowerShell scripts.
That tool also disguises itself as a legitimate Windows file, more specifically, “mscoree.dll,” and its role is to perform system enumeration.
Disabling EDR tools via zero-day
A second report published by Mandiant today focuses on the “bring your own vulnerable driver” (BYOVD) tactic followed by UNC2970 in the latest campaign.
Upon examining the logs on compromised systems, Mandiant’s analysts found suspicious drivers and an odd DLL file (“_SB_SMBUS_SDK.dll”).
Upon further investigation, the researchers discovered these files had been created by another file named “Share.DAT,” an in-memory dropper tracked as “LightShift.”
The dropper loads an obfuscated payload called “LightShow,” which leverages the vulnerable driver to perform arbitrary read and write operations on the kernel memory.
The payload’s role is to patch kernel routines used by EDR (Endpoint Detection and Response) software, helping the intruders evade detection.
Notably, the driver used in this campaign was an ASUS driver (“Driver7.sys”) which wasn’t known to be vulnerable at the time of Mandiant’s discovery, so the North Korean hackers were exploiting a zero-day flaw.
Mandiant reported the issue to ASUS in October 2022, the vulnerability received the identifier CVE-2022-42455, and the vendor fixed it via an update released seven days later.
North Korean hackers previously targeted security researchers involved in vulnerability and exploit development by creating fake online social media personas that pretended to be vulnerability researchers.
These personas would then contact other security researchers about potential collaboration in vulnerability research.