InsighthubNews
  • Home
  • World News
  • Politics
  • Celebrity
  • Environment
  • Business
  • Technology
  • Crypto
  • Sports
  • Gaming
Reading: North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware
Share
Font ResizerAa
InsighthubNewsInsighthubNews
Search
  • Home
  • World News
  • Politics
  • Celebrity
  • Environment
  • Business
  • Technology
  • Crypto
  • Sports
  • Gaming
© 2024 All Rights Reserved | Powered by Insighthub News
InsighthubNews > Technology > North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware
Technology

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

September 18, 2024 4 Min Read
Share
MISTPEN Malware
SHARE

A cyberespionage group with ties to North Korea has been observed using occupation-themed phishing scams to target potential victims in the energy and aerospace industries, infecting them with a previously undocumented backdoor called MISTPEN.

This cluster of activity is being tracked by Google’s Mandiant. UN C2970The company said the group overlaps with a threat group known as TEMP.Hermit, also commonly referred to as the Lazarus Group or Diamond Sleet (formerly known as Zinc).

This threat actor has a history of targeting government, defense, communications, and financial institutions around the world to collect strategic information to advance North Korean interests since at least 2013. This actor is affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 targeting various organizations in the United States, Britain, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.

“UNC2970 poses as recruiters from well-known companies and targets victims with disguised job postings,” it said in the new analysis, adding that it copies and adapts job descriptions to fit the targets’ profiles.

“Furthermore, the job descriptions selected target employees at senior management levels, suggesting that the threat actors are aiming to access sensitive or confidential information that is typically restricted to employees at senior management levels.”

Also known as “Operation Dream Job,” this series of attacks involves communicating with victims via email and WhatsApp using spear phishing bait to build trust before sending them a malicious ZIP archive file disguised as a job advertisement.

Interestingly, the instruction PDF file can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF, which is included within the archive that distributes MISTPEN via a launcher called BURNBOOK.

MISTPEN malware

It is important to note that this does not represent a supply chain attack, nor is there a software vulnerability – rather, the attack is known to use an older version of Sumatra PDF that has been reused to jumpstart the infection chain.

See also  Meet the Harris vs. Trump debate moderators: David Muir and Lindsey Davis of ABC News

This is a proven technique that hacking groups have employed since 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open source software in these attacks, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers.

It is believed that the threat actors likely instruct victims to open the PDF file using the included weaponized PDF viewer program, which triggers the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

“This file is tracked as TEARPAGE and is a dropper for an embedded DLL, ‘wtsapi32.dll’, which is used to execute the MISTPEN backdoor after a system reboot,” Mandiant researchers said. “MISTPEN is a Trojanized version of the legitimate Notepad++ plugin, binhex.dll, which contains a backdoor.”

TEARPAGE, a loader embedded in BURNBOOK, is responsible for decrypting and launching MISTPEN. MISTPEN is a lightweight implant written in C that is instrumented to download and execute a Portable Executable (PE) file obtained from a command and control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs:

Mandiant also said it found older BURNBOOK and MISTPEN artifacts, suggesting they were repeatedly improved to add features and fly under the radar. Early MISTPEN samples were also found using compromised WordPress websites as C2 domains.

“Threat actors have improved their malware over time by implementing new functionality and adding network connectivity checks that hinder analysis of the samples,” the researchers said.

Share This Article
Twitter Copy Link
Previous Article How to earn more heat stamps in Frostpunk 2 How to earn more heat stamps in Frostpunk 2
Next Article California zoos, wildfires and delicate rescue efforts California zoos, wildfires and delicate rescue efforts
Leave a comment Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest News

The Solution is Cyber ​​Hygiene

The Solution is Cyber ​​Hygiene

Cybersecurity in healthcare has never been more urgent. As the…

September 19, 2024
mm

Enterprise LLM API: A top choice for powering LLM applications in 2024

Some big recent news stories have escalated the race for…

September 19, 2024
Authentication Bypass

GitLab fixes critical SAML authentication bypass vulnerability in CE and EE editions

GitLab has released a patch to address a critical flaw…

September 19, 2024
Chinese engineer indicted in US for years of cyberespionage targeting NASA and military

Chinese engineer indicted in US for years of cyberespionage targeting NASA and military

A Chinese national has been indicted in the United States…

September 19, 2024
IoT Botnet

New “Raptor Train” IoT Botnet Compromises Over 200,000 Devices Worldwide

Cybersecurity researchers have discovered a never-before-seen botnet made up of…

September 18, 2024

You Might Also Like

insighthubnews
Technology

EAGLE: Exploring the design space of multimodal large-scale language models with a mixture of encoders

19 Min Read
Android Malware
Technology

New Android malware ‘Ajina.Banker’ steals financial data via Telegram, bypasses 2FA

4 Min Read
Cyberattacks in Southeast Asia
Technology

Experts identify three China-linked clusters behind cyber attacks in Southeast Asia

4 Min Read
He's training the world's next microchip leaders. Here's why he's worried
Business

He’s training the world’s next microchip leaders. Here’s why he’s worried

10 Min Read
InsighthubNews
InsighthubNews

Welcome to InsighthubNews, your reliable source for the latest updates and in-depth insights from around the globe. We are dedicated to bringing you up-to-the-minute news and analysis on the most pressing issues and developments shaping the world today.

  • Home
  • Celebrity
  • Environment
  • Business
  • Crypto
  • Home
  • World News
  • Politics
  • Celebrity
  • Environment
  • Business
  • Technology
  • Crypto
  • Sports
  • Gaming
  • World News
  • Politics
  • Technology
  • Sports
  • Gaming
  • About us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms of Service
  • About us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms of Service

© 2024 All Rights Reserved | Powered by Insighthub News

Welcome Back!

Sign in to your account

Lost your password?