A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families.
The attackers use social engineering to convince their targets to engage over WhatsApp, where they drop the malware payload “PlankWalk,” a C++ backdoor that helps them establish a foothold in the target’s corporate environment.
According to Mandiant, which has been tracking the particular campaign since June 2022, the observed activity overlaps with “Operation Dream Job,” attributed to the North Korean cluster known as the “Lazarus group.”
However, Mandiant observed enough differences in the employed tools, infrastructure, and TTPs (tactics, techniques, and procedures) to attribute this campaign to a separate group they track as “UNC2970.”
Furthermore, the attackers use previously unseen malware named ‘TOUCHMOVE’, ‘SIDESHOW’, and ‘TOUCHSHIFT,’ which have not been attributed to any known threat group.
Mandiant says the particular group has previously targeted tech firms, media groups, and entities in the defense industry. Its latest campaign shows it has evolved its targeting scope and adapted its capabilities.