An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
Essential information
- Published
- 18/09/2024 08:47
- Modified
- 18/09/2024 09:03
- Tags
- 2024-09-18 backdoor burnbook phishing
- Related entities
- 14 observables, 1 intrusion sets (apt), 12 techniques (mitre), 3 malware, 13 others
Description
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP archive containing an encrypted PDF and modified PDF viewer. BURNBOOK decrypts and executes MISTPEN, which can download and run PE files. TEARPAGE, embedded in BURNBOOK, loads MISTPEN through DLL hijacking. The malware evolved to include network checks and new features. UNC2970 has targeted victims in multiple countries, focusing on senior-level employees in critical sectors.