An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader

1(520) 261-1728

An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader

UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP archive containing an encrypted PDF and modified PDF viewer. BURNBOOK decrypts and executes MISTPEN, which can download and run PE files. TEARPAGE, embedded in BURNBOOK, loads MISTPEN through DLL hijacking. The malware evolved to include network checks and new features. UNC2970 has targeted victims in multiple countries, focusing on senior-level employees in critical sectors. Author: AlienVault

Related Tags:
TEARPAGE

BURNBOOK

MISTPEN

T1218.011

T1053.005

Sweden

Netherlands

T1132.001

T1547.001

Associated Indicators:
1565161807718CED42E482C4DDFD5423C0249C5F110FCB5289954B19F9790FFC

D928F2E2D3092A816937057BFBCC9116D6C9B87E

57E2C60B09EF02CB127EAD9735D2A92BAE7B462B

B707F8E3BE12694B4470255E2EE58C81

8C2302C2D43EBE5DDA18B8D943436580

28A75771EBDB96D9B49C9369918CA581

CD6DBF51DA042C34C6E7FF7B1641837D

2505610C490D24A98DA730100175F262

0B77DCEE18660BDCCAF67550D2E00B00

Threat Intel Solutions

An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us