top of page
Search

Stealing the LIGHTSHOW — North Korea's UNC2970

In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation. Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a job recruitment theme.


REFERENCES: https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970 https://www.mandiant.com/resources/blog/lightshift-and-lightshow



ADVERSARY: TEMP.Hermit


INDUSTRIES: Media, Technology, Defense



MALWARE FAMILIES: LIGHTSHIFT, SIDESHOW, TOUCHSHIFT, PLANKWALK, LIDSHIFT, LIDSHOT


ATT&CK IDS: T1553 - Subvert Trust Controls, T1070 - Indicator Removal on Host, T1027 - Obfuscated Files or Information, T1036 - Masquerading, T1055 - Process Injection, T1056 - Input Capture, T1059 - Command and Scripting Interpreter, T1102 - Web Service, T1104 - Multi-Stage Channels, T1105 - Ingress Tool Transfer, T1113 - Screen Capture, T1115 - Clipboard Data, T1133 - External Remote Services, T1140 - Deobfuscate/Decode Files or Information, T1547 - Boot or Logon Autostart Execution, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1566 - Phishing, T1573 - Encrypted Channel, T1574 - Hijack Execution Flow


Read More:

4 views

Comments


Commenting has been turned off.
bottom of page