A North Korean-linked threat group with a history of using fake job offers in its scams is targeting high-level executives at energy and aerospace organizations with more job-related phishing lures aimed at convincing victims to inadvertently download a previously unknown backdoor.

The group, tracked as UNC2970, poses as a job recruiter sending employment openings via email to senior- and manager-level employees, suggesting that “the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees,” threat intelligence researchers from Google’s Mandiant organization wrote in a report this week.

Mandiant researchers in June detected the group using phishing lures from companies in the energy and aerospace sectors to target victims in the same verticals, copying legitimate job descriptions and tailoring them to fit its efforts. In one instance, the UNC2970 actors communicated with a victim via email and the free messaging service WhatsApp and eventually shared what the hackers said was a job description in a PDF contained in a password-protected ZIP file.

The PDF was encrypted and could only be opened with a trojanized version of the legitimate open source SumatraPDF reader, which also was included in the message. The bad actors’ aim was to deliver the undocumented MISTPEN backdoor through the BURNBOOK launcher and use it to steal information.

MISTPEN itself is a trojanized version of a legitimate Notepad++ plugin.

Mandiant has been tracking UNC2970 since 2021, saying in a report last year that it is affiliated with North Korea’s Reconnaissance General Bureau (RGB) and is also known as Temp.Hermit, which has been around since at least 2013 and is a key actor operating under the Lazarus Group umbrella, which in the murky world of North Korean cyberthreats includes a number of groups. It has a history of targeting government, defense, telecommunications, and financial institutions worldwide.

Using Job Openings in Campaigns

The analysts saw a similar operation in 2022 by a North Korean group called UNC4034, which later got folded into UNC2970, which has been seen targeting victims in a number of countries, including the United States, the UK, The Netherlands, Sweden, and Germany in Europe, Cyprus, Singapore, Hong Kong, and Australia.

UNC2970’s campaign is part of a years-long effort by North Korea-aligned groups that leverage potential jobs to position themselves to drop malware, steal information and money, which are used by the country’s government to get around international sanctions and aid its ballistic and nuclear weapons programs.

Not only do they target workers with fake job ads, but North Korean hackers also will apply to open IT jobs with companies in hopes of planting an agent within a company to steal information.

Altered Job Descriptions

In this case, the hackers took original job descriptions and altered them to suit their purposes and better align with the targeted victim, according to the Mandiant researchers. In one case,

“For example, under the ‘Required Education, Experience, & Skills’ section, the original post mentions ‘United States Air Force or highly comparable experience,’ while the malicious PDF omits this line,” they wrote. “Another omitted line is under the ‘Preferred Education, Experience, & Skills’ section, where the original job description includes ‘Preferred location McLean, Virginia.’”

They added that they also “discovered a similar ZIP archive that was uploaded to VirusTotal, having an identical structure, but containing a different job description. The PDF content is consistent with a legitimate job description from the nuclear energy sector.”

When victim opened the ZIP filed received via WhatsApp, they expected to see a document containing the job description. Instead, there were several files in the ZIP archive, including an encrypted file containing both the PDF and the MISTPEN malware.

In the Files

Another file contained the BURNBOOK file dropper and an embedded dynamic-link library (DLL) that the researchers tracked as TEARPAGE, which executed the MISTPEN backdoor when the system rebooted. Other files contained legitimate DLL files for the SumatraPDF reader and a legitimate PDF reader application component.

The bad actors didn’t exploit any vulnerability in the SumatraPDF reader, the researchers wrote. Instead, they modified the open source code of an older version of the reader. Mandiant alerted SumatraPDF about the UNC2970 campaign.

“On the infected host, Mandiant observed a suspicious network connection from the SumatraPDF process towards a compromised SharePoint domain belonging to a university,” they wrote. “As this connection occurred after MISTPEN execution, Mandiant assesses that the SharePoint URL was part of the in-memory execution of payloads sent to the backdoor after establishing communication with the C2 [command-and-control server], leaving no other traces on disk.”