LIGHTSHOW: a probable North Korean cyberespionage effort.
N2K logoMar 10, 2023

UNC2970, a suspected North Korean threat actor, has been observed by Mandiant since June 2022 targeting media companies in the West.

LIGHTSHOW: a probable North Korean cyberespionage effort.

Mandiant researchers have been tracking a campaign from suspected North Korean espionage group UNC2970, seen to be targeting media and tech companies in the Western world, the cybersecurity firm reports.

UNC2970 likely connected to UNC577.

The researchers share that the suspected North Korean threat actor is linked with “high confidence“ to UNC577, a group also known by the name of Temp.Hermit. This actor is said to have been observed in actionactivity since 2013, at least. Significant overlaps in assets, as well as with other North Korean operators have been observed. UNC577 was seen targeting primarily South Korean companies, with some attacks by the group on a global scale, while UNC2970 has been primarily observed targeting entities in the West.

It all starts on LinkedIn.

These attacks begin on LinkedIn, with the threat actors posing as recruiters and reaching out to targets. The faux recruiter then tries to move over to WhatsApp, where they intend to send a phishing payload posited as a job description. The job description payload is said to be a Microsoft Word document containing macros capable of performing remote template injection. Multiple post- exploitation code families have been seen in use: TOUCHMOVE, a loader that decrypts configuration files and a payload and then executes the payload; SIDESHOW, a backdoor that supports “at least 49 commands;” and TOUCHSHIFT, a malicious dropper.

Bring Your Own Vulnerable Device.

In a second part to their investigation, Mandiant researchers identified files and suspicious drivers within original compromised hosts. The researchers could not identify how, when or why they were dropped until later, when it was found that the decoded files led to an in-memory only dropper referred to by researchers as LIGHTSHIFT. LIGHTSHIFT drops the LIGHTSHOW payload. The payload is said to “perform arbitrary read and write operations to kernel memory” which aids in obfuscation from detection from Endpoint Detection and Response (EDR) software. This capitalizes on the idea of “Bring Your Own Vulnerable Device” (BYOVD), because LIGHTSHOW relies on trusted, yet vulnerable drivers to function.