TLDR:
- UNC2970 hackers are targeting job seekers with weaponized PDF files.
- They use sophisticated phishing tactics to deliver malware to victims.
In a recent report, cybersecurity analysts at Google Mandiant have identified UNC2970 hackers actively attacking job seekers by using malicious PDF readers. These Trojanized PDF readers are disguised as legitimate PDF viewing applications and exploit vulnerabilities to trick users into executing malicious code. The hackers pose as recruiters and send tailored job descriptions for senior-level positions to lure victims into opening password-protected ZIP archives containing trojanized PDF readers.
The hackers utilize a modified version of “SumatraPDF” to launch a malicious backdoor named “MISTPEN” that communicates with Microsoft Graph APIs. This backdoor allows the hackers to download and execute PE files while evading security measures. UNC2970 targets sectors like aerospace, energy, and nuclear by sending job-themed phishing emails to multinational companies.
The campaign doesn’t exploit vulnerabilities in SumatraPDF but instead modifies its open-source code to deliver the malicious payload. The group employs various tactics like DLL search order hijacking and encryption to bypass security measures and maintain persistence on infected systems.
MISTPEN backdoor communicates over HTTPS with Microsoft endpoints, allowing the hackers to update configurations, load PE payloads, and execute commands. The malware suite is linked with UNC2970, a suspected North Korean cyber espionage group targeting U.S. critical infrastructure sectors. The group employs sophisticated phishing tactics to deceive victims and spread malware through weaponized PDF files.