BURNBOOK (Dropper) – Malware

Overview

The BURNBOOK malware, a sophisticated launcher observed in campaigns attributed to the North Korea-linked cyber espionage group UNC2970, plays a critical role in deploying and managing the malicious backdoor known as MISTPEN. Disguised as a modified version of a legitimate SumatraPDF dynamic-link library (libmupdf.dll), BURNBOOK operates as the initial stage in a multi-layered infection chain. Its primary function is to decrypt and execute payloads embedded within seemingly innocuous PDF documents, all while maintaining a low profile to evade detection by endpoint security solutions. This malware highlights a growing trend among advanced persistent threat (APT) actors: the exploitation of open-source tools to deliver sophisticated payloads with minimal operational footprint.

At the technical level, BURNBOOK functions as both a dropper and a loader, serving as a crucial intermediary between the initial infection vector and the deployment of secondary payloads. When a victim opens a trojanized PDF file using the supplied modified SumatraPDF binary, BURNBOOK—embedded within the compromised libmupdf.dll—decrypts the contents of the malicious PDF using ChaCha20 encryption. It then proceeds to execute an encrypted backdoor payload in memory, bypassing traditional disk-based security scans. Additionally, BURNBOOK creates persistence mechanisms, such as scheduled tasks using legitimate Windows binaries, to ensure that the secondary payload is executed even after a system reboot.

Targets

Public Administration

Information

Individuals

How they operate

At its core, BURNBOOK operates through DLL Search-Order Hijacking, a technique where malicious DLLs are loaded by legitimate executables during runtime. In this campaign, the trojanized libmupdf.dll is intentionally placed alongside a legitimate SumatraPDF binary. When the victim opens the job description PDF lure using the provided PDF reader, the SumatraPDF executable prioritizes loading the local malicious DLL over system libraries. This ensures that BURNBOOK’s code is executed in memory, decrypting and running the secondary payload — MISTPEN. Notably, the PDF document serves as both a decoy and a carrier for an encrypted malicious payload. Using ChaCha20 encryption, BURNBOOK decrypts the payload embedded within the PDF, effectively displaying a legitimate-looking document while executing the backdoor code in the background.

To ensure persistence, BURNBOOK creates a scheduled task named Sumatra Launcher in the infected system. This task triggers daily execution of a legitimate Windows binary (BdeUISrv.exe) to load another malicious DLL (wtsapi32.dll) through DLL hijacking. This secondary DLL serves as a conduit for executing the MISTPEN payload, effectively bypassing traditional endpoint detection systems. Additionally, the malware writes the encrypted backdoor to a hidden file named thumbs.ini, ensuring the payload remains available even if the initial infection vector is removed.

Beyond its execution and persistence tactics, BURNBOOK demonstrates refined defense evasion techniques. Its reliance on encryption for payload storage and its use of masquerading strategies allow it to seamlessly integrate into legitimate processes. By maintaining encrypted communications with its Command-and-Control (C2) infrastructure, BURNBOOK minimizes the risk of detection during data exfiltration or command execution. Moreover, its ability to act as a launcher for modular payloads adds flexibility, enabling operators to deploy additional tools or adapt the malware’s behavior based on operational objectives.

In conclusion, BURNBOOK represents an advanced piece of malware engineered for stealth, persistence, and adaptability. Its reliance on DLL hijacking, scheduled tasks, and encrypted payloads exemplifies a high degree of technical sophistication. Defenders must pay close attention to anomalous behaviors within trusted binaries and adopt a layered security approach, including runtime analysis, behavioral monitoring, and strict DLL integrity checks. As UNC2970 continues to refine its techniques, understanding the inner workings of BURNBOOK becomes essential in mitigating the risks posed by this insidious threat.

MITRE Tactics and Techniques

1. Initial Access (TA0001)

Technique T1566.002: Phishing (Spearphishing Link)

Description: BURNBOOK is delivered as part of a phishing campaign, typically through encrypted ZIP files shared via email or WhatsApp. These files contain trojanized versions of SumatraPDF bundled with malicious DLLs.

2. Execution (TA0002)

Technique T1204.002: User Execution (Malicious File)

Description: The user is tricked into executing the trojanized SumatraPDF binary, which loads the malicious libmupdf.dll library (BURNBOOK).

Technique T1129: Shared Modules

Description: BURNBOOK operates through a trojanized DLL module that is executed when the legitimate SumatraPDF.exe binary is launched.

3. Persistence (TA0003)

Technique T1053.005: Scheduled Task/Job (Scheduled Task)

Description: BURNBOOK creates a scheduled task named Sumatra Launcher to ensure the malicious payload is executed daily.

Technique T1574.001: Hijack Execution Flow (DLL Search Order Hijacking)

Description: The malware exploits DLL search-order hijacking to load its malicious libmupdf.dll instead of the legitimate library.

4. Defense Evasion (TA0005)

Technique T1140: Deobfuscate/Decode Files or Information

Description: BURNBOOK decrypts payloads embedded in the malicious PDF file using ChaCha20 encryption before executing them.

Technique T1036.005: Masquerading (Match Legitimate Name or Location)

Description: BURNBOOK masquerades as a legitimate libmupdf.dll file, maintaining the appearance of being part of the SumatraPDF application.

5. Credential Access (TA0006)

Technique T1555: Credentials from Password Stores

Description: Although not directly confirmed, BURNBOOK’s persistence mechanisms suggest potential credential harvesting capabilities for long-term access.

6. Command and Control (TA0011)

Technique T1573.002: Encrypted Channel (Asymmetric Cryptography)

Description: BURNBOOK uses encrypted communication channels to transmit payloads and receive commands from its Command-and-Control (C2) server.

Technique T1071.001: Application Layer Protocol (Web Protocols)

Description: C2 communication likely relies on standard web protocols (e.g., HTTPS) to blend with legitimate network traffic and avoid detection.

7. Impact (TA0040)

Technique T1486: Data Encrypted for Impact

Description: While primarily a loader, BURNBOOK has the potential to deploy additional payloads, including ransomware or destructive malware, to encrypt or manipulate data.

References

• An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader