2 min

North Korean state hackers are behind a new phishing campaign targeting security researchers.

This was discovered by researchers at Mandiant. According to the security provider, North Korean hackers UNC2970 have been conducting a campaign targeting security researchers since last June. With the campaign, the hackers are trying to spread three new malware families, Touchmove, Sideshow and Touchshift. In addition, the cybercriminals are also trying new techniques to bypass endpoint detection tools when the malware is active in victims’ cloud environments.

According to Mandiant, UNC2970’s new attack has mainly targeted media organizations in the U.S. and Europe in recent months.

Attacks via LinkedIn

The fact that security experts are now specifically being targeted is a new development, according to Mandiant. Yet the Google subsidiary already warned about this two years ago. The North Korean hackers approached these security experts via specially set up fake accounts on LinkedIn that were barely distinguishable from the real thing. In doing so, they pretended to be recruiters. This technique is also not new.

Using the fake LinkedIn accounts, UNC2970 tries to contact the victims, in this case mainly security researchers, via WhatsApp. They then send a malware-laden document directly through the messaging service or via email.

When victims open this malicious payload, the malware installs itself and the hackers gain C2 access. The North Korean cybercriminals’ C2 servers are often compromised WordPress sites.

Often this is done via the well-known backdoor PLANKWALK. So now new malware variants are also being installed, as well as, for example, the remote desktop malware TightVNC. TightVNC is another variant of the LIDSHIFT malware.

Protection options

Companies can guard against these types of attacks by taking a number of measures, according to Mandiant. These include implementing multi-factor authentication and creating specific cloud-only accounts to access Azure Active Directory.

A separate account for sending e-mail, Web browsing and equivalent activities would also be useful, as would a dedicated admin account for performing sensitive admin work.

Other possible protection measures include blocking macros, deploying privileged identity management, conditional access policies and more security restrictions in Azure AD. Requiring multiple admins to approve InTune transactions is also recommended.

Also read: Threat intelligence data not used enough in security decisions