- Hackers posed as recruiters for big companies to target high-level employees.
- Victims were lured through phishing emails and WhatsApp chats.
- The malware was hidden in a trojanized version of a popular PDF reader.
A North Korean-linked hacking group has been caught using bogus job offers to deliver malware to unsuspecting victims.
In June 2024, cybersecurity firm Mandiant Managed Defense identified the cyber espionage group known as UNC2970.
These hackers, who are suspected of having ties to North Korea, did not just send emails; they also contacted victims via WhatsApp, posing as recruiters from major companies.
Their targets? Employees at the highest levels in critical industries in the United States, including energy and aerospace.
UNC2970’s phishing attacks were well-targeted. The hackers created bogus job offers that resembled legitimate positions at well-known companies.
These offers included slightly modified job descriptions that matched their victim’s profile.
The malicious PDF files were packed into password-protected ZIP archives, making everything appear very official.
But what about the real kicker? The PDF was encrypted, and the only way to open it was to run a trojanized version of SumatraPDF, a popular open-source PDF viewer.
Instead of a job offer, victims received a nasty surprise: MISTPEN backdoor malware, which was launched by a program called BURNBOOK.
This scam is particularly sophisticated because the malware did not exploit any inherent flaw in SumatraPDF.
Instead, UNC2970 modified the viewer’s open-source code, resulting in a version that delivered malware without raising too many red flags.
Mandiant even informed SumatraPDF about the twist, but the damage had already been done.
Subscribe to our newsletter
When the victim opened the PDF with the hacked viewer, a series of hidden files and malicious code ran silently, granting the hackers complete access to the victim’s system.
Not to mention, this was not your typical phishing attack. They only target senior-level employees; UNC2970 sought access to highly sensitive information.
The trojanized SumatraPDF viewer activated the MISTPEN backdoor, which then downloaded additional payloads, effectively transforming the victim’s computer into a spy tool.
So if you receive an unexpected job offer via WhatsApp, think twice before clicking the link.