gcat_threathorizons_full_nov2021.pdf (3 MB)

Google's Threat Horizons report says TAG observed North Korean government-backed attackers impersonating Samsung recruiters and sending fake job opportunities to employees at South Korean anti-malware companies. The lure used malformed PDF job descriptions; when targets reported that the files would not open, the attackers sent a Google Drive link to malware posing as a secure PDF reader. The modified PDFTron reader decoded an embedded PE and PDF, dropped an implant, and used an exploited South Korean website for C2 with capabilities to execute commands and upload files.