New UNC2970 Espionage Campaign Targets Media and Tech Companies

Phishing via fake job schemes

• The attackers create fake accounts on LinkedIn, posing as professional recruiters. These accounts are used to approach the targeted victims and socially engineer them into having a Whatsapp conversation.
• During the conversation, attackers deliver a malicious payload, primarily Word documents claiming to be a job description, directly via Whatsapp or email.

Malware taking over operations

• To establish a foothold, UNC2970 deploys PLANKWALK, a C++ backdoor, executed through a launcher. The backdoor further allows attackers to distribute additional tools on the target machine.
• PLANKWALK communicates with the C2 server (mostly compromised WordPress sites) and then leverages a wide variety of additional tooling, including TOUCHSHIFT (a malware dropper), TOUCHSHOT (screenshot grabber), TOUCHKEY (keylogger), HOOKSHOT (a TCP tunneling tool), TOUCHMOVE (a loader), and SIDESHOW (C/C++ backdoor) to gather intelligence.
• It abuses Microsoft Intune to upload custom PowerShell scripts containing malicious code to be deployed, including CLOUDBURST (a C-based backdoor).
• The attack continues further with an in-memory-only dropper called LIGHTSHIFT. This dropper drops the LIGHTSHOW utility, which uses anti-analysis techniques to hinder both static and dynamic analysis.

Attribution

• The activities of the UNC2970 group have been linked, with high confidence, to the UNC577 group (aka Temp.Hermit), one of the sub-groups working under the Lazarus collective.
• Spear-phishing attacks leveraging a job-recruitment theme via fake LinkedIn profiles have some overlaps with Operation Dream Job that has been tracked and reported by several agencies including Clearsky, Google, and Proofpoint.

The bottom line