Rewterz Threat Alert – North Korea’s UNC2970 Threat Actors Expands Their Operations – Active IOCs

Severity

High

Analysis Summary

According to researchers, the North Korean hacking group UNC2970 has been using previously undocumented malware in a spear-phishing campaign targeting US and European media and tech firms since June 2022.

UNC2970 is the latest moniker assigned by the threat intelligence organisation to a group of North Korean cyber activities that maps to UNC577 – aka Temp.Hermit – and includes another embryonic threat cluster tracked as UNC4034.

“UNC2970 has a concerted effort towards obfuscation and employs multiple methods to do this throughout the entire chain of delivery and execution,” Researchers said in a detailed analysis.

The group sends fake job adverts to targets on LinkedIn before moving conversations to WhatsApp to deliver a phishing payload to the victim under the guise of a job profile. The threat cluster shares “multiple overlaps” with a long-running operation dubbed “Dream Job” that employs job recruitment lures in email messages to trigger the infection sequence. 



If a victim falls for the scheme, UNC2970 gains an initial foothold with a backdoor for additional tools, including keyloggers, screenshot utilities, and backdoors. UNC2970 has also used Microsoft Intune to drop payloads in targeted environments.

One of the malware families deployed by the group is a trojanized version of TightVNC, a remote desktop software. This malicious version, dubbed LIDSHIFT, is designed to load a next-stage payload named LIDSHOT, which can download and execute shellcode from a remote server.

One of the malware families deployed by the group is a trojanized version of TightVNC, a remote desktop software. This malicious version, dubbed LIDSHIFT, is designed to load a next-stage payload named LIDSHOT, which can download and execute shellcode from a remote server.

Researchers have seen UNC2970 deploy a broad variety of specialised post-exploitation tools during their operations to accomplish their objectives. A dropper monitored as TOUCHSHIFT has been one of UNC2970’s go-to tools. UNC2970 is able to use a variety of add-on tools, including as keyloggers, screenshot tools, and fully functional backdoors, thanks to TOUCHSHIFT.

A malicious dropper called TOUCHSHIFT masquerade as mscoree.dll or netplwix.dll. It has been noted that TOUCHSHIFT executes one to two different payloads in memory. The payloads TOUCHSHOT, TOUCHKEY, HOOKSHOT, TOUCHMOVE, and SIDESHOW have all been seen.

• TOUCHSHOT – A software, configured to take a screenshot every three seconds
• TOUCHKEY – A keylogger – captures keystrokes and clipboard data
• HOOKSHOT – A tunneler – connects over TCP to communicate with the command-and-control (C2) server
• TOUCHMOVE – A loader – decrypts and execute a payload on the machine
• SIDESHOW – A backdoor written in C/C++ – runs arbitrary commands and communicates via HTTP POST requests with its C2 server

“The identified malware tools highlight continued malware development and deployment of new tools by UNC2970. Although the group has previously targeted defense, media, and technology industries, the targeting of security researchers suggests a shift in strategy or an expansion of its operations.” they conclude

It is concerning to hear that the North Korean cyber espionage group UNC2970 is expanding its operations with new malware families. This indicates that the group is continuing to invest in its cyber capabilities and is actively seeking new ways to evade detection and infiltrate targeted networks.

Organizations in the targeted sectors, such as media and technology companies, should remain vigilant and take appropriate measures to protect themselves against these attacks. This includes implementing strong email security controls, regularly updating software and operating systems, and conducting regular security awareness training for employees.

Impact

• Remote-Template Injection 
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• 7e6e2ed880c7ab115fca68136051f9ce
• 866f9f205fa1d47af27173b5eb464363
• 49425d6dedb5f88bddc053cc8fd5f0f4
• 05b6f459be513bf6120e9b2b85f6c844

SHA-256

• 175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347
• f6bae38338601d961248e43ffdae05bdf4336edeea9eaf806f481e5f24700249
• 3d988aa9d79ef06bcee5e4a4fed4efdc1047a3456969e7dce3c5b27631d651b9
• e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10

SHA-1

• 3cd037fbba8aae82c1b111c9f8755349c98bcb3c
• 06a77054b9a95e792d35831c35bc318b6d2d4a6e
• 7f4371d557cd4eab657ef8b62a1e21db997aa594
• 56dddfda80d3eb6d6cd3f0531719cf9fac5abf4a

URL

• http://webinternal.anyplex.com/images/query_image.jsp
• http://www.fainstec.com/assets/js/jquery/jquery.php
• https://leadsblue.com/wp-content/wp-utility/index.php
• https://toptradenews.com/wp-content/themes/themes.php
• http://mantis.quick.net.pl/library/securimage/index.php
• http://www.keewoom.co.kr/prod_img/201409/prod.php
• http://abba-servicios.mx/wordpress/wp-content/themes/config.php
• https://olidhealth.com/wp-includes/php-compat/compat.php
• https://doug.org/wp-includes/admin.php
• https://crickethighlights.today/wp-content/plugins/contact.php

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Update and Patch all Software and Systems: Make sure all systems and software are up-to-date and patched regularly, including operating systems, applications, and firmware. UNC2970 frequently exploits vulnerabilities in software and systems to gain access to networks, so it’s essential to keep them updated.
• Use Multi-Factor Authentication (MFA): MFA is an excellent way to prevent unauthorized access to accounts and systems. Enforce MFA for all accounts that have access to critical systems and data.
• Monitor Network Traffic: Regularly monitor network traffic for unusual activity, such as large transfers of data or unusual connections to foreign IPs, and investigate any suspicious activity immediately.
• Conduct Regular Security Awareness Training: Employees should receive regular training on how to identify and avoid phishing attempts, social engineering, and other tactics used by attackers to gain access to systems and data.
• Implement Endpoint Protection: Use endpoint protection solutions to detect and prevent malware from executing on endpoints, such as laptops, desktops, and mobile devices.
• Implement Network Segmentation: Network segmentation can limit the damage caused by an attack by separating critical systems and data from other parts of the network.
• Regularly Conduct Penetration Testing: Regularly conduct penetration testing to identify vulnerabilities in your network and systems and address them before attackers can exploit them.
• Partner with a Managed Security Service Provider (MSSP): An MSSP can provide 24/7 monitoring, threat intelligence, incident response, and other security services to augment the organization’s internal security capabilities.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Also, refer to the mitigations recommended by researchers.