Mandiant says he first discovered the campaign in June 2022 when he followed a phishing campaign targeting a US tech customer. Then the hackers tried to infect the victim with three new viruses – Touchmove, Sideshow and Touchshift.

what is known

Then came a wave of attacks on American and European media from the UNC2970 group, which Mandiant linked to North Korea. UNC2970 was used for these attacks targeted email phishing disguised as a job offer, trying to reach their destination to install the virus.

• Researchers say the UNC2970 has recently changed tactics and switched from phishing emails to fake LinkedIn accounts that appear to belong to HR. Such accounts deftly imitate the personalities of real people to deceive victims and increase their chances of success.
• After contacting the victim and making him an “interesting job offer”, the attackers try to transfer the conversation to WhatsApp.and then use Messenger itself or email to deliver the backdoor, which Mandiant calls Plankwalk, and other malware families.
• Plankwalk and other malware in this group mostly use macros in Microsoft Word. When the document is opened and macros are allowed to run in the program, the victim’s computer downloads and executes a malicious payload from the hackers’ servers.
• In conclusion a ZIP archive containing, among other things, a malicious version of Tight VNC is downloaded For Remote Desktop Access, which Mandiant monitors under the name LIDSHIFT.
• Hacking takes place in the background while victims are told to run the StrictVNC app to ostensibly pass an employment test.

Researchers say the North Korean group has previously targeted the defense, media and technology industries.