Stay ahead of threats with Hoplon Infosec’s expert testing, audits, and threat intelligence.
Hoplon InfoSec Logo

UNC2970 Hackers are Targeting Job Seekers with Weaponized PDF Files

UNC2970 Hackers are Targeting Job Seekers with Weaponized PDF Files

Hoplon InfoSec

18 Sep, 2024

In an alarming development in the realm of cyber threats, the UNC2970 Hackers are Targeting Job Seekers, employing sophisticated phishing tactics and weaponized PDF files to deliver malicious payloads. As this group, suspected to be linked to North Korean cyber espionage, continues its targeted attacks on U.S. critical infrastructure sectors, it’s essential to understand the intricacies of their methods and the implications for job seekers and organizations alike. 

Who is UNC2970? 

UNC2970 is a cyber espionage group believed to have ties to North Korea. In June 2024, cybersecurity analysts at Google Mandiant uncovered the group’s activities, which are aimed at infiltrating critical infrastructure sectors, including aerospace, energy, and nuclear industries. Their tactics have evolved, showcasing an alarming sophistication that raises significant concerns for individuals seeking employment in these fields. 

The Tactics of UNC2970: Sophisticated Phishing Attacks 

One of the hallmark strategies employed by UNC2970 is their use of sophisticated phishing emails. Posing as recruiters, they craft tailored job descriptions for senior-level positions to lure potential victims. These emails often appear legitimate, which heightens the risk of unsuspecting individuals downloading malicious files. 

Weaponized PDF Readers: The Infection Chain 

At the heart of UNC2970’s attacks lies the use of weaponized PDF readers. Specifically, they utilize a trojanized version of “SumatraPDF” (v3.4.3 or earlier). The infection process is both cunning and technical: 

  1. Initial Contact: Victims receive an email containing a password-protected ZIP archive. 
  1. Contents of the Archive: Inside the ZIP, there are two critical components: 
  • An encrypted PDF file. 
  • A modified version of the SumatraPDF application. 

When the victim attempts to open the PDF, it triggers a series of malicious actions. 

The Malicious Payload: BURNBOOK and MISTPEN 

BURNBOOK: The Enabler 

Once the trojanized PDF reader is executed, it launches the “BURNBOOK” process. This malicious component utilizes a specialized library (libmupdf.dll) to decrypt the embedded PDF file. The decryption employs the ChaCha20 cipher, utilizing a 32-byte key and a 12-byte nonce, ensuring that the malicious payload remains concealed until execution. 

MISTPEN: The Backdoor 

The next stage involves the loading of the “MISTPEN” backdoor, which is implemented as a modified Notepad++ plugin (binhex.dll). This backdoor can perform a variety of malicious actions, including: 

  • Downloading and executing Portable Executable (PE) files. 
  • Communicating over HTTPS with Microsoft endpoints, such as login.microsoftonline.com and graph.microsoft.com. 

Command Functionality of MISTPEN 

MISTPEN offers a range of commands that enable the attackers to manipulate the infected system: 

  • ‘d’: Load and execute PE payloads. 
  • ‘e’: Terminate the backdoor process. 
  • ‘f’: Enter sleep mode to evade detection. 
  • ‘g’: Update its configuration. 

Persistence and Evasion Techniques 

For persistence, MISTPEN creates a scheduled task named “Sumatra Launcher” in the user’s application data directory, employing DLL search-order hijacking. This technique allows the malware to maintain a foothold in the infected system, ensuring it can execute its malicious payload even after a reboot. 

Moreover, the backdoor’s configuration settings are stored in a file named “setup.bin,” which enables the attackers to maintain control over the compromised system and execute their commands as needed. 

DLL Search Order Hijacking: A Key Evasion Technique 

One of the most concerning aspects of the UNC2970 malware campaign is its use of DLL search-order hijacking. This technique involves manipulating the search order for DLL files in Windows, allowing malicious DLLs to be executed instead of legitimate ones. By embedding malicious code into commonly used applications like SumatraPDF, the hackers can bypass many security measures that might otherwise flag the attack. 

Targeting Critical Infrastructure: The Implications 

The implications of these attacks extend far beyond individual job seekers. By targeting multinational companies across various sectors, UNC2970 poses a significant threat to critical infrastructure. The aerospace, energy, and nuclear sectors are vital for national security, and any compromise in these areas could have far-reaching consequences. 

Best Practices for Job Seekers

Given the risks associated with these sophisticated phishing attacks, job seekers must adopt a proactive approach to safeguard their personal information and digital security: 

  1. Be Skeptical of Unsolicited Emails: Always verify the legitimacy of emails, especially those that contain attachments or links. 
  1. Avoid Downloading Unknown Files: Refrain from downloading files from unknown sources. Even if the email appears to be from a legitimate recruiter, it’s best to err on the side of caution. 
  1. Utilize Antivirus Software: Ensure that you have up-to-date antivirus and anti-malware software installed on your devices. 
  1. Educate Yourself on Phishing Tactics: Familiarize yourself with common phishing tactics to better recognize suspicious emails. 

Conclusion 

The emergence of UNC2970 and their sophisticated tactics underscores the necessity for heightened vigilance among job seekers and organizations alike. As cyber threats continue to evolve, understanding the mechanisms behind these attacks is crucial for implementing effective defenses. 

By staying informed and adopting best practices, individuals can better protect themselves from becoming victims of such malicious campaigns. 

Frequently Asked Questions (FAQs) 

What is UNC2970? 

UNC2970 is a suspected North Korean cyber espionage group known for targeting critical infrastructure sectors using sophisticated phishing tactics. 

How do UNC2970 hackers deliver malware? 

They employ weaponized PDF files disguised as legitimate applications, often delivered through phishing emails posing as job offers. 

How do UNC2970 hackers deliver malware? 

They employ weaponized PDF files disguised as legitimate applications, often delivered through phishing emails posing as job offers. 

What is BURNBOOK? 

BURNBOOK is a malicious library that decrypts embedded PDF files and facilitates the execution of further malicious payloads on infected systems. 

What is MISTPEN? 

MISTPEN is a backdoor created by UNC2970 that allows hackers to execute commands, download files, and maintain persistence on compromised systems. 

How can job seekers protect themselves? 

Job seekers should verify the legitimacy of emails, avoid downloading unknown files, use antivirus software, and educate themselves about phishing tactics. 

What sectors are primarily targeted by UNC2970? 

The group mainly targets critical infrastructure sectors, including aerospace, energy, and nuclear industries. 

By staying informed and vigilant, individuals can enhance their cybersecurity posture and reduce the risk of falling victim to such sophisticated attacks. 

​​References 

​​Marco Galli, D. I. (2024, September 18). An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader. Retrieved from Google Cloud: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader 

​Senapathi, V. (2024, September 18). UNC2970 Hackers Targeting Job Seekers with Weaponized PDF Files. Retrieved from Cyber Security News: https://cybersecuritynews.com/hackers-targeting-job-seekers/ 

Share this :

Latest News