Security News > 2022 > September > Hackers trojanize PuTTY SSH client to backdoor media company
North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets' devices as part of a fake Amazon job assessment.
A novel element in this campaign is the use of a trojanized version of the PuTTY and KiTTY SSH utility to deploy a backdoor, which in this case, is 'AIRDRY.V2'.
The ISO includes a text file containing an IP address and login credentials and a trojanized version of PuTTY, a very popular open-source SSH console application.
The PuTTY shared by the hackers was modified to include a malicious payload in its data section, making the tampered version significantly larger than the legitimate version.
The hackers modified PuTTY's connect to host() function so that on an SSH successful connection using the enclosed credentials, the program deploys a malicious DAVESHELL shellcode payload in the form of a DLL packed with Themida.
To make the launch of the shellcode stealthy, the malicious PuTTY uses a search order hijacking vulnerability in "Colorcpl.exe," the legitimate Windows Color Management tool, to load the malicious DLL. DAVESHELL operates as the dropper of the final payload, the AIRDRY.V2 backdoor malware, which is executed directly in memory.