North Korean hackers are attacking cybersecurity researchers and media organizations in the US and Europe with fake job offers that lead to the deployment of three new families of malware, Mandiant said.
The attackers use social engineering to convince their targets to contact them via WhatsApp, where they deliver a malware payload of "PlankWalk", a C++ backdoor that allows hackers to gain a foothold in the target's corporate environment, onto victims' devices.
Experts have been tracking the campaign since June 2022 and have attributed it to a group they track as "UNC2970". In addition, the attackers are using previously unknown malware named "TOUCHMOVE", "SIDESHOW", and "TOUCHHIFT".
The chain of attacks begins with hackers contacting LinkedIn targets posing as recruiters. They then convince the victims to go to WhatsApp, where they send a Word document with malicious macros embedded. In some cases, these Word documents are styled for specific positions.
Word document macros perform a Remote Template Injection attack to obtain an infected version of "TightVNC" (remote desktop connection program) from compromised WordPress sites that serve as the attacker's command and control (C2, C&C) servers.
The trojanized version of TightVNC is a "LidShift" backdoor that, once executed, uses the Reflective DLL Injection method to load the encrypted DLL of the trojanized Notepad++ plugin into system memory. The downloaded file is a malware downloader called "LidShot" that performs a system enumeration and deploys the "PlankWalk" backdoor payload.
In the post-exploitation phase, the hackers use a new special dropper called "TOUCHHIFT" that masquerades as a Windows binary (mscoree.dll or netplwix.dll).
Then "TouchShift" loads:
- utility for creating screenshots "TouchShot";
- keylogger "TouchKey";
- the program for creating tunnels "HookShot";
- bootloader "TouchMove";
- backdoor "SideShow".
The most notable of the list is the "SideShow" backdoor, which supports 49 commands that allow an attacker to, among other things:
- execute arbitrary code on the device;
- change the registry;
- manage firewall settings;
- add new scheduled tasks;
- deliver additional payloads.
Mandiant also discovered that in the latest campaign, UNC2970 used a BYOVD (Bring Your Own Vulnerable Driver) attack to deliver a LightShift dropper that downloads an obfuscated payload called LightShow.
LightShow uses a vulnerable ASUS driver (Driver7.sys) to perform arbitrary reads and writes to kernel memory to fix kernel routines used by EDR solutions, allowing attackers to evade detection.
North Korean hackers have previously harassed security professionals by contacting them on social media via fake security researcher profiles and then sending victims malicious Visual Studio projects and MHTML files that exploited the Internet Explorer 0-day vulnerability. These files were used to deploy malware on devices to gain remote access to computers.