The BURNBOOK malware, known for its association with the North Korea-linked cyber espionage group UNC2970, has been identified as a crucial component in the deployment and management of the MISTPEN backdoor. This sophisticated malware disguises itself as a modified version of a legitimate SumatraPDF dynamic-link library (libmupdf.dll) and serves as the initial stage in a multi-layered infection chain. Its primary function is to decrypt and execute payloads embedded within seemingly innocuous PDF documents, all while evading detection by endpoint security solutions.
In technical terms, BURNBOOK acts as both a dropper and a loader, bridging the gap between the initial infection vector and the deployment of secondary payloads. When a victim opens a trojanized PDF file using the modified SumatraPDF binary, BURNBOOK decrypts the malicious contents of the PDF using ChaCha20 encryption. It then executes an encrypted backdoor payload in memory, bypassing traditional disk-based security scans. Additionally, BURNBOOK establishes persistence mechanisms, such as scheduled tasks using legitimate Windows binaries, to ensure the continued execution of the secondary payload even after a system reboot.
The malware targets entities such as Public Administration, Information, and Individuals, highlighting the broad scope of its potentially detrimental impact.
Operating through DLL Search-Order Hijacking, BURNBOOK strategically inserts the trojanized libmupdf.dll alongside a legitimate SumatraPDF binary. When a user interacts with a trojanized PDF lure, the SumatraPDF executable prioritizes loading the local malicious DLL, enabling BURNBOOK to execute the secondary payload, MISTPEN, in memory. This tactic allows the malware to stay hidden while executing malicious actions in the background. By using ChaCha20 encryption, BURNBOOK decrypts the embedded payload within the PDF, creating a seamless facade of a genuine document while executing malicious code surreptitiously.
To maintain persistence, BURNBOOK creates a scheduled task named Sumatra Launcher, ensuring daily execution of a legitimate Windows binary to load another malicious DLL through DLL hijacking. This secondary DLL serves as a conduit for executing the MISTPEN payload, effectively evading detection by traditional endpoint security systems. Additionally, the malware conceals the encrypted backdoor in a hidden file named thumbs.ini, ensuring the availability of the payload even if the initial infection is removed.
Apart from its execution and persistence tactics, BURNBOOK showcases advanced defense evasion techniques. By encrypting payloads and masquerading as legitimate files, the malware seamlessly integrates into normal processes while communicating securely with its Command-and-Control infrastructure. This adaptability allows operators to deploy additional tools or modify the malware’s behavior as per operational requirements.
In conclusion, BURNBOOK represents a sophisticated threat with its emphasis on stealth, persistence, and adaptability. Defenders must remain vigilant and adopt a layered security approach to detect and mitigate such threats effectively. As UNC2970 continues to enhance its techniques, understanding the intricacies of BURNBOOK becomes paramount in safeguarding against this insidious cyber threat.