In June 2024, researchers identified a North Korea-linked cyber espionage group, UNC2970, targeting victims in the energy and aerospace industries who used job openings as a lure, sending malicious PDF files disguised as job descriptions.
The PDF files contained a trojanized version of SumatraPDF, which delivered the MISTPEN backdoor, as it has been observed that UNC2970 is modifying the open-source code of an older SumatraPDF version for this campaign.
SumatraPDF was not compromised, and there were no vulnerabilities in the software. Still, SumatraPDF has been alerted of this campaign to raise awareness.
UNC2970, a cyberespionage group, targets critical infrastructure sectors in the US by sending spear phishing emails with weaponized ZIP archives, which contain a seemingly legitimate job description (PDF) and a modified, malicious PDF reader.
The malicious PDF tailors “required qualifications” to the target’s profile by omitting details like specific location requirements, which aims to trick senior-level employees into opening the booby-trapped PDF, granting UNC2970 access to sensitive information.
The attack involved a social engineering lure via WhatsApp, tricking the victim into opening a ZIP archive containing a malicious PDF and a trojanized SumatraPDF DLL (libmupdf.dll), which decrypted the PDF lure and loaded the MISTPEN backdoor (trojanized Notepad++ plugin).
It also wrote the backdoor to a file (thumbs.ini) and created a scheduled task to launch it daily using a legitimate Windows binary by bypassing vulnerabilities and relied on loading a malicious DLL alongside a legitimate application.
BURNBOOK is a C/C++ launcher that decrypts and executes an encrypted payload from a PDF lure using the ChaCha20 cipher. The launcher first reads the PDF structure to determine the location of the encrypted PDF file and backdoor DLL.
It then decrypts the PDF file and injects the backdoor DLL (MISTPEN) into SumatraPDF.exe using reflective loading. For persistence, BURNBOOK copies BdeUISrv.exe and wtsapi32.dll to a specific directory and creates a scheduled task to launch BdeUISrv.exe daily.
MISTPEN is a backdoor written in C that downloads and executes PE files and decrypts a token using AES to access a Microsoft API endpoint and communicates with Microsoft Graph URLs.
It reads configuration data from setup.bin or generates a random ID and sends messages to its C2 server. TEARPAGE, a loader embedded in BURNBOOK, decrypts an encrypted blob in %APPDATA%\Thumbs.ini using ChaCha20 to load MISTPEN backdoor, which is then reflectively loaded into the memory space of BdeUISrv.exe.
Mandiant discovered two malicious archives containing a trojanized SumatraPDF.exe. The later version, MISTPEN, exhibited improvements over the earlier BURNBOOK sample.
MISTPEN included a persistence mechanism by saving its configuration to a file and used a different C2 infrastructure communicating via compromised websites.
The way AES encryption was used differed between the two samples, suggesting the threat actor, UNC2970 (likely North Korea-nexus), is continuously developing their malware for enhanced stealth and persistence.