Security News > 2023 > March > North Korean UNC2970 Hackers Expands Operations with New Malware Families

A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022.

UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577, and which also comprises another nascent threat cluster tracked as UNC4034.

"Their operations since that time are representative of Pyongyang's efforts to collect strategic intelligence to benefit North Korean interests."

The latest set of UNC2970 attacks are characterized by initially approaching users directly on LinkedIn using "Well designed and professionally curated" fake accounts posing as recruiters.

UNC2970 is also said to have leveraged Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST, a C-based backdoor that communicates via HTTP. In what's continuing use of the Bring Your Own Vulnerable Driver technique by North Korea-aligned actors, the intrusions further employ an in-memory-only dropper called LIGHTSHIFT that facilitates the distribution of another piece of malware codenamed LIGHTSHOW. The utility, besides taking steps to hinder dynamic and static analysis, drops a legitimate version of a driver with known vulnerabilities to perform read and write operations to kernel memory and ultimately disarm security software installed on the infected host.

"The identified malware tools highlight continued malware development and deployment of new tools by UNC2970," Mandiant said.

News URL

https://thehackernews.com/2023/03/north-korean-unc2970-hackers-expands.html