September 18, 2024 at 07:03AM
North Korea-linked cyber-espionage group UNC2970, alias TEMP.Hermit/Lazarus Group, is phishing energy and aerospace targets with job-themed baits, using a backdoor MISTPEN. Mandiant identified its history in strategic intelligence collection for North Korean interests. The group’s Operation Dream Job leverages weaponized PDFs and older software to execute attacks, evolving to avoid detection.
Based on the meeting notes, the key takeaways are:
1. A North Korea-linked cyber-espionage group, UNC2970, has been observed targeting energy and aerospace verticals with job-themed phishing lures to deliver a backdoor named MISTPEN.
2. UNC2970 has a history of targeting government, defense, telecommunications, and financial institutions since at least 2013, in furtherance of North Korean interests.
3. The attack involves spear-phishing to engage with victims over email and WhatsApp, using a trojanized PDF reader program to activate the infection chain and deliver MISTPEN.
4. The threat actors have been iteratively improving the malware over time and using compromised WordPress websites as command-and-control domains.
Please let me know if there’s anything else you’d like to discuss regarding this information.