This article presents a simulated attack by the Labyrinth Chollima APT group targeting employees in the energy and aerospace sectors through spear phishing campaigns disguised as legitimate job offerings. The attack employs trojanized software and malicious documents to gain unauthorized access to victim systems. Affected: energy sector, aerospace industry
Keypoints :
- The Labyrinth Chollima APT group simulates attacks on critical infrastructure sectors.
- The campaign uses legitimate job descriptions to lure victims into opening malicious files.
- A password-protected ZIP archive contains an encrypted PDF and modified PDF viewer.
- The attack relies on an older version of SumatraPDF that does not have countermeasures against DLL injection.
- DLL injection is performed using Shellter to deliver the malicious payload.
- The attack facilitates reverse connections for data exfiltration post-exploitation.
- BURNBOOK is utilized as a launcher to execute encrypted payloads after background execution.
- The backdoor is established by modifying the SumatraPDF library.
MITRE Techniques :
- Phishing (T1566) – The attack uses spear-phishing emails disguised as job descriptions to lure victims.
- Execution (T1203) – The execution of the malicious DLL occurs when the victim opens the PDF using the trojanized PDF viewer.
- Persistence (T1050) – The DLL maintains persistence to execute a malicious payload any time the PDF viewer is run.
- Command and Control (T1071) – A backdoor is installed in the victim’s system allowing remote access and data exfiltration.
- Data Exfiltration (T1041) – The attack allows the exfiltration of data once a connection from the compromised machine is established.
Indicator of Compromise :
- [URL] https://github.com/sumatrapdfreader/sumatrapdf
- [URL] https://sumatra-pdf-portable.en.uptodown.com/windows/download/62634650
- [GitHub] https://github.com/S3N4T0R-0X0/BEAR
- [GitHub] https://github.com/S3N4T0R-0X0/APT-Attack-Simulation/tree/main/North%20Koreans%20APT/Labyrinth%20Chollima