An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader

    Thursday, September 19, 2024 In: Threat Research Print

    Date: 09/19/2024

    Severity: Medium

    Summary

    The "An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader" report details how a threat actor group, UNC2970, spreads a backdoor by using a compromised PDF reader. Victims are tricked into downloading a malicious version of the software, which secretly installs the backdoor on their systems. This backdoor allows the attackers to gain remote access and control, potentially leading to data theft and further exploitation. The incident underscores the risks of using unverified software and the need for robust cybersecurity measures.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://graph.microsoft.com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92

    heropersonas.com

    https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php

    https://cmasedu.com/wp-content/plugins/kirki/inc/script.php

    https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php

    https://verisoftsystems.com/wp-content/plugins/optinmonster/views/upgrade-link-style.php

    https://www.clinicabaru.co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php

    Hash

    28a75771ebdb96d9b49c9369918ca581

57e8a7ef21e7586d008d4116d70062a6

f3baee9c48a2f744a16af30220de5066

006cbff5d248ab4a1d756bce989830b9

0b77dcee18660bdccaf67550d2e00b00

b707f8e3be12694b4470255e2ee58c81

cd6dbf51da042c34c6e7ff7b1641837d

eca8eb8871c7d8f0c6b9c3ce581416ed

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "https://www.clinicabaru.co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php" or url like "https://www.clinicabaru.co/wp-content/plugins/caldera-forms/ui/viewer-two/viewer-2.php" or userdomainname like "https://cmasedu.com/wp-content/plugins/kirki/inc/script.php" or url like "https://cmasedu .com/wp-content/plugins/kirki/inc/script.php" or userdomainname like "https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php" or url like "https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php" or userdomainname like "https://verisoftsystems.com/wp-content/plugins/optinmonster/views/upgrade-link-style.php" or url like "https://verisoftsystems.com/wp-content/plugins/optinmonster/views/upgrade-link-style.php" or userdomainname like "https://graph.microsoft.com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92" or url like "https://graph.microsoft.com/v1.0/me/drive/root:/path/upload/world/266A25710006EF92" or userdomainname like "heropersonas.com" or url like "heropersonas.com" or userdomainname like "https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php" or url like "https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php"

    Hash

    MD5Hash IN ("28a75771ebdb96d9b49c9369918ca581","57e8a7ef21e7586d008d4116d70062a6","f3baee9c48a2f744a16af30220de5066","006cbff5d248ab4a1d756bce989830b9","0b77dcee18660bdccaf67550d2e00b00","b707f8e3be12694b4470255e2ee58c81","cd6dbf51da042c34c6e7ff7b1641837d","eca8eb8871c7d8f0c6b9c3ce581416ed")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader 


    Tags

    MalwareBackdoorTrojan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.