Trojanized PDF readers are malicious software that are disguised as legitimate PDF viewing applications.
They are primarily used by the threat actors to deliver malware by exploiting vulnerabilities in the PDF format and tricking users into executing malicious code.
Recently, cybersecurity analysts at Google Mandiant identified that UNC2970 hackers have been actively attacking job seekers using weaponized PDF readers.
In June 2024, Mandiant Managed Defense identified UNC2970, a suspected North Korean cyber espionage group targeting U.S. critical infrastructure sectors.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Sophisticated Phishing Tactics
The group employs sophisticated phishing tactics, posing as recruiters and sending tailored job descriptions for senior-level positions.
Their infection chain utilizes a password-protected ZIP archive containing an encrypted PDF and a trojanized version of “SumatraPDF” (v3.4.3 or earlier).
When victims open the PDF using the modified application, it triggers the “BURNBOOK” launcher (a malicious libmupdf.dll) which decrypts the PDF using “ChaCha20” cipher with a “32-byte key” and “12-byte nonce.”
BURNBOOK then loads the “MISTPEN” backdoor which is a modified Notepad++ plugin (binhex.dll), into the SumatraPDF.exe process via reflective loading, Mandiant said.
For persistence, the malware creates a scheduled task named “Sumatra Launcher” in %APPDATA%MicrosoftBDE UI Launcher, using “BdeUISrv.exe” and employing DLL search-order hijacking with a malicious “wtsapi32.dll.”
The MISTPEN payload is re-encrypted and stored in %APPDATA%Thumbs.ini for later execution.
This technique allows UNC2970 to bypass security measures, targeting aerospace, energy, and nuclear sectors.
The campaign doesn’t exploit any vulnerability in SumatraPDF but rather modifies its open-source code to deliver the malicious payload.
MISTPEN is written in C, and its primary function is to download and execute Portable Executable (PE) files.
The backdoor uses AES encryption with a specific 256-bit key to decrypt a token, which it then uses to access Microsoft Graph APIs.
MISTPEN communicates over HTTPS with Microsoft endpoints, including login.microsoftonline.com and graph.microsoft.com.
It supports various commands like:-
- ‘d’ for loading and executing PE payloads.
- ‘e’ for termination.
- ‘f’ for sleep functionality.
- ‘g’ for updating its configuration.
The backdoor can read and write its settings to a file named “setup.bin” which allows persistent configuration. However, MISTPEN backdoor is often delivered alongside “BURNBOOK,” a trojanized PDF reader that employs DLL search order hijacking.
While the “TEARPAGE” is another component that acts as a loader and uses ChaCha20 cipher from an encrypted blob in “%APPDATA%Thumbs.ini” to decrypt the “MISTPEN.”
This malware suite is linked with UNC2970, and this group uses job-themed phishing emails to target multinational companies across various sectors and countries.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial