Mandiant Experts noticed, that North Korean hackers focused on information security specialists. Attackers try to infect researchers with malware, hoping to penetrate the network of companies for which they work.
Mandiant says they first discovered this campaign in June 2022 when they were tracking a phishing campaign aimed at an American client from the technology industry. Then the hackers tried to infect the target with three new families of the Malvari ( Touchmove, Sideshow and Touchshift ).
Soon after, there was a wave of attacks on American and European media by the UNC2970 group, which Mandiant connects with North Korea. For these attacks, UNC2970 used targeted postal phishing, disguised as job offers, trying to force its goals to set a rhizier.
Researchers say that recently UNC2970 changed tactics and now instead of phishing emails switched to using LinkedIn fake accounts allegedly owned by HR. Such accounts carefully imitate the identities of real-life people in order to deceive victims and increase the chances of a successful attack.
Having contacted the victim and making her an « interesting offer » about work, intruders try to transfer the conversation to WhatsApp, and then use either the messenger or email to deliver the backdoor, which Mandiant named Plankwalk, as well as other Malvari families.
Plankwalk and other group malware mainly use macros in Microsoft Word. When the document is opened and macros are allowed to start, the target machine loads and performs malicious payloads from the ( hacker servers, their role is mainly played by hacked sites on WordPress ). As a result, the ZIP archive is delivered to the target’s machine, which, among other things, contains the malicious version of the TightVNC application for remote access to the desktop, which Mandiant tracks under the name LIDSHIFT.
One of the hackers also impersonate the New York Times.
Mandiant says they first discovered this campaign in June 2022 when they were tracking a phishing campaign aimed at an American client from the technology industry. Then the hackers tried to infect the target with three new families of the Malvari ( Touchmove, Sideshow and Touchshift ).
Soon after, there was a wave of attacks on American and European media by the UNC2970 group, which Mandiant connects with North Korea. For these attacks, UNC2970 used targeted postal phishing, disguised as job offers, trying to force its goals to set a rhizier.
Researchers say that recently UNC2970 changed tactics and now instead of phishing emails switched to using LinkedIn fake accounts allegedly owned by HR. Such accounts carefully imitate the identities of real-life people in order to deceive victims and increase the chances of a successful attack.
Having contacted the victim and making her an « interesting offer » about work, intruders try to transfer the conversation to WhatsApp, and then use either the messenger or email to deliver the backdoor, which Mandiant named Plankwalk, as well as other Malvari families.
Plankwalk and other group malware mainly use macros in Microsoft Word. When the document is opened and macros are allowed to start, the target machine loads and performs malicious payloads from the ( hacker servers, their role is mainly played by hacked sites on WordPress ). As a result, the ZIP archive is delivered to the target’s machine, which, among other things, contains the malicious version of the TightVNC application for remote access to the desktop, which Mandiant tracks under the name LIDSHIFT.
One of the hackers also impersonate the New York Times.
