Aerospace and energy organizations in the U.S., Singapore, Australia, and other parts of the world have been targeted by North Korean cyberespionage operation UNC2970 with job-themed phishing lures aimed at spreading the novel MISTPEN backdoor, reports The Hacker News.
After establishing trust with targets via spear-phishing emails purporting to be job openings for senior-/manager-level employees in high-profile companies, UNC2970 proceeded to deliver a malicious ZIP file masquerading as a job description, an analysis from Google Cloud's Mandiant revealed. Opening the PDF file of the description through a malicious Sumatra PDF app facilitates the deployment of the BURNBOOK launcher, which later triggers MISTPEN through an integrated TEARPAGE loader, according to researchers, who also discovered continuous enhancements to BURNBOOK and MISTPEN payloads.
"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," said researchers.