Mandiant experts noticed that North Korean hackers have focused their attention and attacks on information security specialists. Attackers try to infect researchers with malware in the hope of infiltrating the networks of companies that the targets work for.
Let me remind you that we also wrote that Nearly 50% of Cybersecurity Leaders Will Change Jobs by 2025, and also that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.
The media also wrote that FBI Links North Korean Lazarus Hackers to Harmony Hack and $100 Million Theft.
Mandiant says it first discovered the North Korean hacking campaign in June 2022 while tracking a phishing campaign targeting a US technology client. Then the hackers tried to infect the target with three new malware families (Touchmove, Sideshow and Touchshift).
Shortly thereafter, there was a spate of attacks on American and European media by the UNC2970 group, which Mandiant links to North Korea. For these attacks, UNC2970 used spear-phishing emails disguised as job offers in an attempt to coerce their targets into installing the malware.
Researchers say that UNC2970 recently changed tactics and now switched from using phishing emails to using fake LinkedIn accounts allegedly owned by HR. Such accounts carefully imitate the identities of real people in order to deceive the victims and increase the chances of the attack being successful.
After contacting the victim and making her an “interesting job offer”, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver the backdoor, which Mandiant called Plankwalk, as well as other malware families.
Plankwalk and other malware in the group mainly use macros in Microsoft Word. When the document is open and macros are enabled, the target machine downloads and executes the malicious payload from the hackers’ servers (mostly hacked WordPress sites). As a result, a ZIP archive is delivered to the target machine, which, among other things, contains a malicious version of the TightVNC remote desktop application that Mandiant monitors under the name LIDSHIFT.
One of the documents used for the attacks can be seen below, where the hackers impersonate the New York Times.
Not only does TightVNC act as a legitimate remote desktop access tool, LIDSHIFT also contains many hidden features. The first is that once executed by the user, the malware sends a beacon to its hard-coded C&C server. In this case, the only action that was required from the user was the launch of the program itself. This LIDSHIFT beacon contains the original username and hostname of the victim.
The second feature of LIDSHIFT is to inject an encrypted DLL into memory. DLL is a trojanized Notepad++ plugin that functions as a loader and is tracked under the name LIDSHOT. LIDSHOT is injected as soon as the victim opens the dropdown in the TightVNC Viewer app.
LIDSHOT performs two main functions: enumeration, as well as downloading and executing shellcode from the management server.says the Mandiant report.
As a result, Plankwalk paves the way for introducing additional tools to the target machine, including:
- TOUCHHIFT is a dropper that downloads other malware, ranging from keyloggers and screenshot utilities to full-featured backdoors;
- TOUCHSHOT – takes screenshots every three seconds;
- TOUCHKEY – a keylogger that captures keystrokes and intercepts data from the clipboard;
- HOOKSHOT is a tunneling tool that connects via TCP to communicate with the server management server;
- TOUCHMOVE – a loader designed to decrypt and execute a payload;
- SIDESHOW is an AC/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its command and control server.
It is also reported that UNC2970 used Microsoft Intune to manage endpoints and download a PowerShell script containing a payload in the form of a CLOUDBURST backdoor written in C. It is assumed that UNC2970 uses this legitimate application to bypass endpoint protection.
