An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
2024-09-17 • Mandiant •
https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/
Mandiant tracked a suspected North Korea-nexus group, UNC2970, using recruiter personas and tailored job descriptions to target senior employees in U.S. critical infrastructure, energy, and aerospace organizations. The lure arrived through email and WhatsApp as a password-protected ZIP containing an encrypted PDF and a trojanized SumatraPDF viewer. Opening the document with the supplied viewer loaded BURNBOOK from a modified libmupdf.dll, decrypted the lure, and deployed the MISTPEN backdoor through DLL search-order hijacking and a scheduled task. The campaign shows UNC2970 pairing long-form social engineering with legitimate open source software modifications rather than exploiting a SumatraPDF vulnerability.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| YARA | M_APT_Launcher_TEARPAGE_1 | 2024-09-17 | 2024-09-17 |
| YARA | M_APT_Backdoor_MISTPEN_2 | 2024-09-17 | 2024-09-17 |
| YARA | M_Launcher_BURNBOOK_2 | 2024-09-17 | 2024-09-17 |
| YARA | M_Launcher_BURNBOOK_1 | 2024-09-17 | 2024-09-17 |
| HASH | 006cbff5d248ab4a1d756bce989830b9 | 2024-09-17 | 2024-09-17 |
| HASH | 8c2302c2d43ebe5dda18b8d943436580 | 2024-09-17 | 2024-09-17 |
| HASH | eca8eb8871c7d8f0c6b9c3ce581416ed | 2024-09-17 | 2024-09-17 |
| HASH | 57e8a7ef21e7586d008d4116d70062a6 | 2024-09-17 | 2024-09-17 |
| URL | https://dstvdtt.co.za/wp-conten… | 2024-09-17 | 2024-09-17 |
| URL | https://cmasedu.com/wp-content/… | 2024-09-17 | 2024-09-17 |
| URL | https://bmtpakistan.com/solutio… | 2024-09-17 | 2024-09-17 |
| DOMAIN | cmasedu.com | 2024-09-17 | 2024-09-17 |
| DOMAIN | bmtpakistan.com | 2024-09-17 | 2024-09-17 |
| DOMAIN | dstvdtt.co.za | 2024-09-17 | 2024-09-17 |