In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme.
REFERENCES: https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970 https://www.mandiant.com/resources/blog/lightshift-and-lightshow
TAGS: UNC2970, TEMP.Hermit, LIGHTSHIFT, SIDESHOW, TOUCHSHIFT, PLANKWALK, LIDSHIFT, LIDSHOT, TightVNC Viewer, WordPress, phish
ADVERSARY: TEMP.Hermit
INDUSTRIES: Media, Technology, Defense
TARGETED COUNTRIES: United States of America, Korea, Republic of
MALWARE FAMILIES: LIGHTSHIFT, SIDESHOW, TOUCHSHIFT, PLANKWALK, LIDSHIFT, LIDSHOT
ATT&CK IDS: T1553 - Subvert Trust Controls, T1070 - Indicator Removal on Host, T1027 - Obfuscated Files or Information, T1036 - Masquerading, T1055 - Process Injection, T1056 - Input Capture, T1059 - Command and Scripting Interpreter, T1102 - Web Service, T1104 - Multi-Stage Channels, T1105 - Ingress Tool Transfer, T1113 - Screen Capture, T1115 - Clipboard Data, T1133 - External Remote Services, T1140 - Deobfuscate/Decode Files or Information, T1547 - Boot or Logon Autostart Execution, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1566 - Phishing, T1573 - Encrypted Channel, T1574 - Hijack Execution Flow
Read More:
Comments