Attacker targets security researchers with spear-phishing attacks

March 21, 2023 - TuxCare PR Team

According to cybersecurity firm Mandiant, a North Korean espionage group known as UNC2970 has been carrying out spear-phishing attacks against media and technology organizations in the US and Europe since June 2022, using new and previously unknown malware families.

The Mandiant report says security researchers were the primary targets of the attacks, which involved the use of LinkedIn to impersonate recruiters and facilitate initial communication with potential victims, followed by phishing payload delivery via a job description sent over WhatsApp. UNC2970 is the threat intelligence firm’s designation for a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit) and includes another nascent threat cluster tracked as UNC4034.

The attacks are aimed at security researchers, with the group impersonating recruiters on LinkedIn and initiating contact with potential victims. UNC2970 then uses WhatsApp to deliver a phishing payload disguised as a fake job description, which contains a backdoor called Plankwalk or malware from other families.

UNC2970 has traditionally targeted organizations with spearphishing emails with job recruitment themes. Recently, the group has begun to use fake LinkedIn accounts belonging to purported recruiters. The accounts are carefully crafted to look like legitimate people in order to fool targets and increase their chances of success. Eventually, the threat actor attempts to shift the conversations to WhatsApp and, from there, uses either WhatsApp or email to deliver a backdoor Mandiant refers to as Plankwalk, or other malware families.

When conducting phishing operations, UNC2970 initially communicated with targets via LinkedIn as recruiters. After contacting a target, UNC2970 would attempt to shift the conversation to WhatsApp, where they would continue interacting with their target before sending a phishing payload disguised as a job description. UNC2970 continued interacting with a victim even after the phishing payload was executed and detected, asking for screenshots of the detection in at least one case.

UNC2970’s primary phishing payloads are Microsoft Word documents embedded with macros that perform remote-template injection to pull down and execute a payload from a remote command and control server (C2). UNC2970 has been observed tailoring the fake job descriptions to specific targets, according to Mandiant.

The conversation is then transferred to WhatsApp, where a phishing payload is delivered to the target in the form of a job description. These attack chains have been observed in some cases to deploy trojanized versions of TightVNC (dubbed LIDSHIFT), which is designed to load a next-stage payload dubbed LIDSHOT, which is capable of downloading and executing shellcode from a remote server.

The ZIP file delivered by UNC2970 contained what the victim mistook for a job application skills assessment test. In reality, the ZIP contained an ISO file containing a trojanized version of TightVNC identified by Mandiant as LIDSHIFT. The victim was instructed to launch the TightVNC application, which, along with the other files, is labeled with the name of the company for which the victim intended to take the assessment.

The attack then installs the Plankwalk backdoor, which can then install a variety of other tools, including the Microsoft endpoint application InTune. Endpoints enrolled in an organization’s Azure Active Directory service can be configured using InTune. UNC2970 appears to be using a legitimate application to circumvent endpoint security.

The sources for this piece include an article in ArsTechnica.

Summary