A North Korean hacking group, dubbed UNC2970, has been targeting security researchers and media organizations in the US and Europe, according to cybersecurity firm Mandiant.
The group has been deploying three new, custom malware families through fake job offers sent via WhatsApp. The malware includes a C++ backdoor called PlankWalk, which allows the hackers to establish a foothold in the target’s corporate environment.
Mandiant has attributed the campaign to UNC2970, rather than the North Korean Lazarus group, which has been involved in similar activities.
The group has evolved its targeting scope and adapted its capabilities, using previously unseen malware named TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.
The attackers start their attacks on LinkedIn, posing as job recruiters before shifting to WhatsApp, where they share a Word document embedded with malicious macros.
These macros perform remote-template injection to fetch a trojanized version of TightVNC from compromised WordPress sites that serve as the attacker’s command and control servers.
UNC2970 also uses a custom-made version of TightVNC called LidShift, which is loaded into the system’s memory using reflective DLL injection. The loaded file is a malware downloader named LidShot, which deploys the final foothold-establishing payload on the breached device.
The group has also been found to be using a new, custom malware dropper called TouchShift, which disguises itself as a legitimate Windows binary.
In addition to its malware, UNC2970 uses a “bring your own vulnerable driver” (BYOVD) tactic to disable endpoint detection and response (EDR) tools.
The group has exploited a zero-day flaw in an ASUS driver, Driver7.sys, to perform arbitrary read and write operations on the kernel memory.
The payload’s role is to patch kernel routines used by EDR software, helping the hackers evade detection. UNC2970 previously targeted security researchers by creating fake online social media personas that pretended to be vulnerability researchers.
