North Korean hackers, associated with the Lazarus Group and identified as UNC2970, have introduced a new and sophisticated piece of malware known as MISTPEN. This cyber-espionage group has targeted high-level employees within the energy and aerospace sectors, utilizing job-themed phishing schemes to execute their attacks. By masquerading as recruiters for prominent companies, the hackers entice their victims with fake job offers, which contain malicious attachments designed to compromise sensitive systems.
The MISTPEN malware is distributed through a unique method involving a trojanized version of the Sumatra PDF reader. The attack begins with a spear-phishing email or WhatsApp message that includes a ZIP file, which appears to be a legitimate job description. To activate the malware, victims are instructed to open the PDF file using the weaponized Sumatra PDF reader included in the archive. This process deploys the MISTPEN backdoor, a trojanized Notepad++ plugin, via a launcher known as BURNBOOK.
Once installed, MISTPEN grants the attackers remote access to the compromised system, allowing them to download and execute additional payloads. The malware communicates with command-and-control servers over HTTP, utilizing various Microsoft Graph URLs. Mandiant, the cybersecurity firm tracking this activity, has noted that the attackers continually enhance MISTPEN, incorporating features that improve its evasion techniques and increase its stealth capabilities.
This latest attack underscores the growing threat posed by North Korean cyber operations targeting critical global industries. By focusing on high-profile sectors and employing advanced tactics, the Lazarus Group aims to gather strategic intelligence and maintain its foothold in international cyber-espionage activities. The persistence and sophistication of these attacks highlight the need for heightened security measures to defend against such evolving threats.
