Phishing, Malware, Threat Intelligence, Critical Infrastructure Security

Novel backdoor leveraged in North Korean hackers’ global aerospace, energy attacks

North Korean remote IT worker scam

Aerospace and energy organizations in the U.S., Singapore, Australia, and other parts of the world have been targeted by North Korean cyberespionage operation UNC2970 with job-themed phishing lures aimed at spreading the novel MISTPEN backdoor, reports The Hacker News.

After establishing trust with targets via spear-phishing emails purporting to be job openings for senior-/manager-level employees in high-profile companies, UNC2970 proceeded to deliver a malicious ZIP file masquerading as a job description, an analysis from Google Cloud's Mandiant revealed. Opening the PDF file of the description through a malicious Sumatra PDF app facilitates the deployment of the BURNBOOK launcher, which later triggers MISTPEN through an integrated TEARPAGE loader, according to researchers, who also discovered continuous enhancements to BURNBOOK and MISTPEN payloads. "The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds