North Korean Hackers distributing trojanized versions of PuTTY client application, according to researchers at Mandiant, a Google owned threat intelligence firm. This novel spear phishing method is used by the hackers to distribute trojanized versions of the PuTTY SSH and Telnet client.
The threat intelligence firm linked the new campaign to an emerging threat cluster it tracks under the name UNC4034.
Mandiant, a leading provider of business risk and digital security services, said that starting in 2017, the group behind “AIRDRY.V2” used backdoor through a trojanized instance of the PuTTY utility, communicate with victims and lure them with ISO package regarding a fake job offer.
The use of fabricated job lures by North Korea state-sponsored actors is a favored tactic that we have seen throughout the Operation Dream Job campaign.
The entry point of the attack is an ISO file that masquerades as an Amazon Assessment. The file was shared over WhatApp after instigating contact over email.
An archive contains a text file with a login and credentials for an altered PuTTY, which deploys the most recent variant of AIRDRY with the help of dropper called DAVESHELL.It is possible the attacker convinced the victim to launch a session on PuTTY and used a TXT file containing credentials to remotely connect to the infected host.
AIRDRY, also known as BLINDINGCAN, has been used by North Korea-linked hackers in the past to attack U.S. defense contractors, entities in South Korea and Latvia.
This new malware interface has been found to be much more user-friendly and does not require specific commands.
Mandiant said they were able to prevent post-exploiting without the implant.
Microsoft’s decision to block macro apps from the internet has caused a significant shift in the world of Excel and VBA.
WordPress Powered Sites Backdoored after FishPig Supply Chain Attack
Russian Gamaredon Hackers Using Info-Stealing Malware to Target Ukrainian Government
Akamai hit by second record-smashing DDoS Attack