UNC2970 is a North Korea–linked cyber espionage group that used job-themed phishing to target critical infrastructure and delivered a backdoor via a trojanized SumatraPDF. The operation leveraged a multi-stage infection chain, including a trojanized PDF viewer and a custom backdoor (MISTPEN) with persistence and C2 capabilities.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/
Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/
Keypoints
- UNC2970 is a cyber espionage group suspected to have ties to North Korea and active since at least 2021, targeting multiple countries.
- The group uses phishing emails disguised as job offers to lure victims in critical infrastructure sectors.
- They copy and tailor job descriptions to fit specific targets, increasing the likelihood of engagement.
- Victims receive a password-protected ZIP archive containing a malicious PDF and a trojanized PDF viewer to deliver the backdoor.
- MISTPEN is a modified Notepad++ plugin that acts as the backdoor loaded via the trojanized viewer (BURNBOOK launcher).
- The campaign includes persistence mechanisms (scheduled tasks) and potential credential exfiltration via Microsoft Graph API.
- SumatraPDF owners were alerted by Mandiant; the campaign uses modified SumatraPDF components but is not a vulnerability in SumatraPDF itself.
MITRE Techniques
- [T1566] Phishing – “UNC2970 uses job-themed phishing emails to lure victims.”
- [T1203] Malicious File – “Victims download a malicious ZIP archive containing a trojanized PDF viewer and a backdoor.”
- [T1219] Remote Access Tools – “MISTPEN backdoor allows remote access to the infected system.”
- [T1053] Scheduled Task – “The malware creates a scheduled task to maintain persistence.”
- [T1003] Credential Dumping – “MISTPEN communicates with Microsoft Graph API to potentially exfiltrate credentials.”
- [T1574.001] DLL Search Order Hijacking – “loads the wtsapi32.dll file through DLL search-order hijacking.”
- [T1055] Process Injection – “MISTPEN is loaded reflectively into the memory space of SumatraPDF.exe and executed.”
Indicators of Compromise
- [File] BAE_Vice President of Business Development.pdf – Encrypted PDF containing MISTPEN payload.
- [MD5] 28a75771ebdb96d9b49c9369918ca581 – Associated with BAE_Vice President of Business Development.pdf.
- [MD5] cefc7b6e95f5a985b7319021441ae4e7 – Associated with PdfFilter.dll.
- [MD5] 2505610c490d24a98da730100175f262 – Associated with PdfPreview.dll.
- [MD5] 91841e006225ac500de7630740a21d91 – Associated with SumatraPDF.exe.
- [MD5] 57e8a7ef21e7586d008d4116d70062a6 – Associated with libmupdf.dll.
- [MD5] f3baee9c48a2f744a16af30220de5066 – Associated with libmupdf.dll.
- [File] SumatraPDF.exe – A legitimate open-source PDF viewer component (v3.3.3).
- [File] PdfFilter.dll – A legitimate DLL file required by SumatraPDF.exe.
- [File] PdfPreview.dll – A legitimate DLL file required by SumatraPDF.exe.
- [File] libmupdf.dll – A trojanized DLL used by the trojanized SumatraPDF flow.
- [File] WtsApi32.dll (as described in context) – Used in the loader chain (TEARPAGE).
- [URL] hxxps[:]//login[.]microsoftonline[.]com/common/oauth2/v2.0/token – Token exchange URL used by MISTPEN configuration flow.
- [URL] hxxps[:]//graph[.]microsoft[.]com/v1.0/me/drive/root:/path/upload/hello/ – C2 and payload transfer endpoint.
- [URL] hxxps://graph.microsoft[.]com/v1.0/me/drive/root:/path/upload/world/ – C2 activity.
- [URL] hxxps://graph.microsoft[.]com/v1.0/me/drive/items/ – C2 resource endpoint.
- [Domain] heropersonas[.]com – Network-based C2 or delivery domain.
- [Domain] bmtpakistan[.]com – Example compromised site used in earlier samples.
- [Domain] cmasedu[.]com – Example compromised site used in earlier samples.
- [Domain] dstvdtt[.]co[.]za – Example compromised site used in earlier samples.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/