Threat Research

Stealing the LIGHTSHOW (Part One) — North Korea’s UNC2970 | Mandiant

GoogleCloudIntel

Mandiant describes UNC2970’s June 2022 campaign that used LinkedIn/WhatsApp social engineering and spear-phishing to deliver multiple custom loaders and backdoors (TOUCHSHIFT/TOUCHMOVE/SIDESHOW/PLANKWALK/CLOUDBURST) enabling remote execution, process injection, and HTTP(S) C2. The report details Intune-based distribution of CLOUDBURST via malicious PowerShell, DLL sideloading techniques, and trojanized ISOs used to establish footholds. #UNC2970 #PLANKWALK

Keypoints

  • UNC2970 (suspected DPRK actor) targeted Western media and technology organizations using LinkedIn and WhatsApp social engineering leading to spear-phishing with job-themed lures.
  • Initial access vectors included Microsoft Word documents with macros performing remote-template injection and trojanized ISO files containing a modified TightVNC (LIDSHIFT) that beacons on launch.
  • Primary foothold and persistence tools observed: PLANKWALK (DLL sideloading backdoor), CLOUDBURST (Intune-distributed downloader), TOUCHSHIFT dropper, TOUCHMOVE loader, and SIDESHOW backdoor.
  • Post-exploitation tooling includes screen capture (TOUCHSHOT), keylogging/clipboard capture (TOUCHKEY), tunneling (HOOKSHOT using TLS), reflective DLL injection (LIDSHOT), and broad command capabilities in SIDESHOW (49+ commands via HTTP POST).
  • Attack infrastructure commonly used compromised WordPress sites for C2 and leveraged Microsoft Intune/Intune Management Extension to deploy Base64-encoded PowerShell that writes mscoree.dll and uses PresentationHost.exe to sideload payloads.
  • TOUCHSHIFT uses DLL Search Order Hijacking and in-memory unpacking (XOR-based key generation using command-line args and legitimate filename) to execute payloads without touching disk.
  • Mandiant provides detection signatures, YARA-like rules, and IOCs (file hashes, C2 URLs, GUIDs, file paths) to assist defenders in hunting and remediation.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – UNC2970 delivered malicious Word documents and ZIP/ISO lures via social engineering: [‘The phishing payload that masqueraded as a job description.’]
  • [T1221] Remote Template Injection – Word documents with macros used remote templates to pull and execute C2 payloads: [‘Microsoft Word documents embedded with macros to perform remote-template injection to pull down and execute a payload from a remote command and control (C2).’]
  • [T1059.001] PowerShell – Attackers used PowerShell delivered by Intune to decode and write payload DLLs: [‘”PolicyBody”:”$EnModule = “[Base64_encoded_CLOUDBURST_payload]” … Set-Content “C:ProgramDatamscoree.dll” -Value $DeModule -Encoding Byte”‘]
  • [T1078] Valid Accounts – A previously compromised Intune account was used to create, assign, and delete Device Management Scripts: [‘the threat actors used a previously compromised account to perform a create, assign, patch, and finally a delete action of a Device Management Script’].
  • [T1574.001] DLL Search Order Hijacking – TOUCHSHIFT masquerades as legitimate DLLs and relies on DLL search order to execute its malicious export: [‘TOUCHSHIFT leverages DLL Search Order Hijacking to use the legitimate file to load and execute itself.’]
  • [T1055] Process Injection – Multiple tools inject payloads or shellcode into processes (LIDSHOT, SIDESHOW commands): [‘LIDSHOT … downloading and executing shellcode from the C2’ and ‘Execute PE payload via process injection for specified PID’].
  • [T1113] Screen Capture – TOUCHSHOT captures screenshots at frequent intervals for staging and exfiltration: [‘TOUCHSHOT takes screenshots of the system on which it is running and saves them to a file … configured to take a screenshot every three seconds’].
  • [T1056.001] Input Capture: Keylogging – TOUCHKEY captures keystrokes and clipboard content to staging files: [‘TOUCHKEY is a keylogger that captures keystrokes and clipboard data, both of which are encoded … and saved to a file.’]
  • [T1105] Ingress Tool Transfer – Download/execution of additional components and shellcode from C2 (CLOUDBURST/PLANKWALK): [‘CLOUDBURST then downloads and executes shellcode from the C2 server.’]
  • [T1071.001] Application Layer Protocol: Web Protocols – SIDESHOW and other tools communicate with C2 via HTTP(S) POST requests to compromised WordPress endpoints: [‘SIDESHOW is a backdoor written in C/C++ that communicates via HTTP POST requests with its C2 server.’]
  • [T1572] Protocol Tunneling – HOOKSHOT tunnels traffic over TLS between IP/port pairs to proxy communications: [‘HOOKSHOT will then create a socket using these two IP addresses, and tunnel traffic across them utilizing TLSv1.0.’]

Indicators of Compromise

  • [File Hash] malware samples – e97b13b7e91edeceeac876c3869cc4eb (PLANKWALK), 30358639af2ecc217bbc26008c5640a7 (LIDSHIFT), and 11 more hashes
  • [Domain / URL] C2 endpoints – hxxps://crickethighlights[.]today/wp-content/plugins/contact.php (CLOUDBURST C2), hxxps://leadsblue[.]com/wp-content/wp-utility/index.php (LIDSHOT C2), and other compromised WordPress URLs
  • [File paths / filenames] on-host artifacts – C:ProgramDatamscoree.dll (CLOUDBURST payload), C:ProgramDataPresentationHost.exe (sideload launcher), C:ProgramDataMicrosoftVaultcache###.db (PLANKWALK encrypted payload)
  • [File names] lure/dropper names – destextapi.dll / manextapi.dll / pathextapi.dll (observed first-stage launcher filenames used to load PLANKWALK), PresentationHost.exe (used for sideloading)
  • [GUID] Intune/Policy identifiers – f391eded-82d3-4506-8bf4-9213f6f4d586 (PolicyID / GroupID linked to malicious Intune script)
  • [Registry / Artifact keys] Intune artifacts – HKEY_LOCAL_MACHINESOFTWAREMicrosoftIntuneManagementExtensionPolicies (used to find Intune-delivered script artifacts)

UNC2970’s technical playbook: they initiate contact via tailored LinkedIn accounts, move conversations to WhatsApp, and ultimately deliver job-themed lures that include malicious Word documents (macros + remote-template injection) or ZIP/ISO archives containing a trojanized TightVNC (LIDSHIFT). Word lure templates commonly pointed to compromised WordPress sites hosting remote templates; remote-template injection pulled down C2-hosted payloads which then established beacons and retrieved follow-on components.

Once a foothold was achieved, the actor employed multiple loaders and execution chains. TOUCHSHIFT acts as a dropper using DLL Search Order Hijacking and in-memory unpacking (XOR-derived keys based on command-line args and the legitimate loader filename) to execute embedded payloads such as TOUCHSHOT (screen capture) and TOUCHKEY (keylogger). LIDSHIFT launches a trojanized TightVNC that beacons to hardcoded C2, reflectively injects an encrypted Notepad++ plugin (LIDSHOT) that enumerates the host and downloads shellcode, and PLANKWALK uses multi-stage DLL sideloading where a first-stage DLL launcher decrypts an on-disk encrypted PLANKWALK blob (C:ProgramDataMicrosoftVaultcache###.db) and reads a decrypted configuration for HTTP C2s typically hosted on compromised WordPress sites.

For enterprise-scale deployment, the group misused Microsoft Intune/Intune Management Extension to push Base64-encoded PowerShell (CLOUDBURST) that writes a malicious mscoree.dll to ProgramData, copies PresentationHost.exe to ProgramData, and executes it with “-embeddingObject” to trigger DLL sideloading. CLOUDBURST conducts host enumeration (product name, computer name, running processes), contacts C2 over crafted HTTP(S) URIs, and downloads+executes shellcode in memory. Defenders should hunt for the listed hashes, PowerShell IME logs containing Base64 payloads, the Intune GUID f391eded-82d3-4506-8bf4-9213f6f4d586, suspicious ProgramData mscoree.dll/PresentationHost.exe activity, and HTTP POSTs to compromised WordPress plugin paths.

Read more: https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970