An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader | Google Cloud Blog
Tags
cmtmf-attack-pattern: Masquerading
country: Australia Cyprus North Korea Netherlands Germany Hong Kong Pakistan Saudi Arabia Sweden Singapore South Africa United Kingdom United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Dll Search Order Hijacking - T1574.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Phishing - T1660 Phishing - T1566 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Sharepoint - T1213.002 Dll Search Order Hijacking - T1038 Masquerading - T1036 Scheduled Task - T1053 Masquerading
Show in Graph
Common Information
Type Value
UUID 3d77c2a4-6661-436a-9e01-d02247129962
Fingerprint a6cf9911063283c1
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 18, 2024, midnight
Added to db Sept. 17, 2024, 5 p.m.
Last updated Nov. 17, 2024, 6:30 p.m.
Headline An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Title An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader | Google Cloud Blog
Detected Hints/Tags/Attributes 93/4/39
Source URLs
Redirection Url
Details Source https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/
Details Source https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader
URL Provider
Details Provider Source level domain
Details google.com cloud.google.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 707 
google.com
Details Domain 61 
login.microsoftonline.com
Details Domain 32 
graph.microsoft.com
Details Domain 4 
bmtpakistan.com
Details Domain 4 
cmasedu.com
Details Domain 2 
dstvdtt.co
Details File 6 
sumatrapdf.exe
Details File 5 
libmupdf.dll
Details File 3 
development.pdf
Details File 4 
binhex.dll
Details File 3 
thumbs.ini
Details File 6 
bdeuisrv.exe
Details File 41 
wtsapi32.dll
Details File 3 
%appdata%\thumbs.ini
Details File 2 
%appdata%\microsoft\bde ui launcher\bdeuisrv.exe
Details File 6 
setup.bin
Details File 6 
asset.php
Details File 17 
script.php
Details File 24 
lib.php
Details File 2 
pdffilter.dll
Details File 2 
pdfpreview.dll
Details md5 2 
8c2302c2d43ebe5dda18b8d943436580
Details md5 4 
57e8a7ef21e7586d008d4116d70062a6
Details md5 4 
eca8eb8871c7d8f0c6b9c3ce581416ed
Details md5 4 
006cbff5d248ab4a1d756bce989830b9
Details IPv4 13 
2.0.0.1
Details Mandiant Temporary Group Assumption 44 
TEMP.HERMIT
Details Mandiant Uncategorized Groups 44 
UNC2970
Details Mandiant Uncategorized Groups 16 
UNC4034
Details Url 5 
https://login.microsoftonline.com/common/oauth2/v2.0/token
Details Url 6 
https://graph.microsoft.com/v1.0/me/drive/root
Details Url 2 
https://graph.microsoft.com/v1.0/me/drive/items
Details Url 4 
https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php
Details Url 4 
https://cmasedu.com/wp-content/plugins/kirki/inc/script.php
Details Url 4 
https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php
Details Yara rule 2 
rule M_Launcher_BURNBOOK_1 {
	meta:
		author = "Mandiant"
		date_created = "2024-08-12"
		date_modified = "2024-08-12"
		md5 = "8c2302c2d43ebe5dda18b8d943436580"
		rev = 1
	strings:
		$pk_magic = { 50 4B 03 04 }
		$cd_magic = { 50 4B 01 02 }
		$n1 = "libmupdf.dll"
		$n2 = ".pdf"
		$n3 = "PdfFilter.dll"
		$n4 = "PdfPreview.dll"
		$n5 = "SumatraPDF.exe"
	condition:
		uint32(0) == 0x04034b50 and for any i in (2 .. #pk_magic) : ( ($n1 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n1 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n2 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n2 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n3 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n3 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n4 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n4 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in (2 .. #pk_magic) : ( ($n5 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 + uint16(@pk_magic[i] + 26))) and ($n5 in (@cd_magic[i] + 46 .. @cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) )
}
Details Yara rule 2 
rule M_Launcher_BURNBOOK_2 {
	meta:
		author = "Mandiant"
		date_created = "2024-08-12"
		date_modified = "2024-08-12"
		md5 = "57e8a7ef21e7586d008d4116d70062a6"
		rev = 1
	strings:
		$parse_decoy_document = { FF 15 [4-32] 41 B8 08 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 48 83 ?? 08 48 3B ?? 0F 8? [4-32] 41 B8 20 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 41 B8 0C 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? }
		$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B }
	condition:
		all of them
}
Details Yara rule 2 
rule M_APT_Backdoor_MISTPEN_2 {
	meta:
		author = "Mandiant"
		date_created = "2024-08-13"
		date_modified = "2024-08-13"
		md5 = "eca8eb8871c7d8f0c6b9c3ce581416ed"
		rev = 1
	strings:
		$s1 = "Cookie: _PHPSESSIONID="
		$s2 = "%d_%s_%d"
		$s3 = "DEAD" fullword
		$s4_sleep_succcess = { 53 6C 65 65 [1-16] 70 20 53 75 [1-16] 63 63 65 73 [1-16] 73 00 }
		$s5_hiber_success = { 48 69 62 65 [1-16] 72 20 53 75 [1-16] 63 63 65 73 [1-16] 73 00 }
		$s6 = "Loaded at %p"
		$s7 = "setup.bin" wide
		$send_DEAD_signal = { 8B 05 [4] 48 C7 ?? FF FF FF FF 89 45 ?? 0F B6 05 [4] 88 45 ?? 4? 8D [2-64] B9 40 00 00 00 FF 15 [4-8] 8? ?? 01 [1-32] 48 8D 48 08 E8 }
		$const_marker = { 83 E3 09 81 C3 11 27 00 00 }
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (6 of them or ($s1 and $s2 and $s3 and $s6))
}
Details Yara rule 2 
rule M_APT_Launcher_TEARPAGE_1 {
	meta:
		author = "Mandiant"
		date_created = "2024-08-13"
		date_modified = "2024-08-13"
		md5 = "006cbff5d248ab4a1d756bce989830b9"
		rev = 1
	strings:
		$load_encrypted_payload = { FF 15 [4-8] 83 F8 2C 0F 8? [4-32] 41 B8 20 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32] 41 B8 0C 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32] 83 C6 D4 B9 40 00 00 00 [2-16] FF 15 }
		$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B }
		$load_pe = { 81 3C [1-3] 50 45 00 00 [1-8] 8B [1-3] 50 [4-32] B9 FF FF 1F 00 [2-16] FF 15 [4-64] C7 44 24 [1-8] 40 00 00 00 C7 44 24 [1-8] 00 30 00 00 41 FF D? 85 C0 0F 8? }
	condition:
		all of them
}