Researchers from Mandiant, a security solutions company, said that they were able to uncover a group of large cyberattacks behind which hackers working for the North Korean government are targeting researchers in the field of digital security using new technologies and software, hoping to infiltrate the companies where the victims work.
The company said the campaign began in June 2020 and used three new families of malware: Touchmove, Sideshow, and Touchshift.
The researchers suspect that the group code-named UNC2970 specifically targeted digital security researchers in this operation, using LinkedIn accounts belonging to fake HR employees. These accounts were carefully crafted to simulate the identities of real people in order to deceive victims and increase the chances of success of the attack. After communicating with the victim via LinkedIn, the attacker attempts to transfer the conversation to the WhatsApp application that the victim uses to deliver the malware.
The attackers deliver the Plankwalk malware through macros embedded in Microsoft Word documents. When the document is opened and the macro is allowed to run, malware is downloaded and executed from the attackers command and control server. The attackers relied mainly on hacked websites that used WordPress to deliver their malware.