Campaigns
Silent Recruiters: UNC2970's Trojanized Infiltration

Silent Recruiters: UNC2970's Trojanized Infiltration

MistPenMalwareTrojanizedPDFJobSeekerAttacksUNC2970TEMP.Hermit
UNC2970, a North Korean-backed hacking group, has launched a sophisticated cyber campaign targeting job seekers and major industries like energy and aerospace. Using trojanized PDF readers and luring victims with fake job applications, the group infiltrates critical sectors, deploying the MistPen malware to compromise sensitive data and networks. This campaign highlights the dangerous combination of social engineering and advanced malware tactics, aiming at individuals and organizations alike.

Indicators of Compromise

cmasedu.com
dstvdtt.co.za
www.clinicabaru.co
bmtpakistan.com
heropersonas.com
verisoftsystems.com

APT Groups1

TEMP.HermitKorea, Democratic People's Republic of

<p><b>Summary of Actor</b>:TEMP.Hermit is a suspected nation-state affiliated threat actor known for conducting cyber espionage operations. They have been active for several years and primarily focus on performing intelligence gathering against various sectors. TEMP.Hermit’s activities are characterized by their use of sophisticated malware and advanced tactics.</p><p><b>General Features</b>:Sophisticated malware use, advanced persistent threats (APTs), cyber espionage, intelligence gathering.</p><p><b>Related Other Groups</b>: APT28,Winnti Group</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Phishing emails</li><li>Malicious attachments</li><li>Command and control (C2) communication patterns</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: TEMP.Hermit has recently been linked to a spear-phishing campaign targeting government officials in Eastern Europe, using lure documents related to current geopolitical events.</li><li><b>Emerging Trends </b>: There has been an observed shift towards leveraging supply chain attacks to infiltrate more secure networks and adopting new malware strains that utilize advanced obfuscation techniques to evade detection.</li></ul></p>

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1134 - Access Token Manipulation


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Modification

Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

DS0017

Command

Command Execution

Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[29]

DS0009

Process

OS API Execution

Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [30], DuplicateTokenEx[31], and ImpersonateLoggedOnUser[32]). Please see the referenced Windows API pages for more information.



Process Creation

Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.



Process Metadata

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[33] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

DS0002

User Account

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.



T1059 - Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[52]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.



T1036 - Masquerading


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [52]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[53] In Linux, the file command may be used to check the file signature.[54]



File Modification

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

DS0007

Image

Image Metadata

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [55]

DS0009

Process

OS API Execution

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.



Process Creation

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")



Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

DS0003

Scheduled Job

Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.



Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.



Service Metadata

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.



T1566 - Phishing


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.



T1055 - Process Injection


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.



File Modification

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009

Process

OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90]



Process Access

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



Process Metadata

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91]



Process Modification

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



T1574 - Hijack Execution Flow


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.

DS0022

File

File Creation

Monitor for newly constructed files that may execute their own malicious payloads by hijacking the way operating systems run programs.



File Modification

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious.

DS0011

Module

Module Load

Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths.

DS0009

Process

Process Creation

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

DS0019

Service

Service Metadata

Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may execute their own malicious payloads by hijacking the way operating systems run programs.

Observed Countries9

AU (989)
CY (529)
DE (914)
GB (921)
HK (790)
IE (589)
NL (854)
SG (331)
US (322)