Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

A threat with a North Korea nexus has been found leveraging a “novel spear phish methodology” that involves making use of trojanized versions of the PuTTY SSH and Telnet client.

Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name UNC4034.

“UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility,” Mandiant researchers said.

The utilization of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job.

The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant. The file was shared over WhatApp after establishing initial contact over email.

The archive, for its part, holds a text file containing an IP address and login credentials, and an altered version of PuTTY that, in turn, loads a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY.

It’s likely that the threat actor convinced the victim to launch a PuTTY session and use the credentials provided in the TXT file to connect to the remote host, effectively activating the infection.

AIRDRY, also known as BLINDINGCAN, has in the past been used by North Korea-linked hackers to strike U.S. defense contractors and entities in South Korea and Latvia.

While earlier versions of the malware came with nearly 30 commands for file transfer, file management, and command execution, the latest version has been found to eschew the command-based approach in favor of plugins that are downloaded and executed in memory.

Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

The shift is also attributable to Microsoft’s decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…