Security News > 2022 > September > North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

A threat with a North Korea nexus has been found leveraging a "Novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.

"UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers said.

The use of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job.

The archive, for its part, holds a text file containing an IP address and login credentials, and an altered version of PuTTY that, in turn, loads a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. It's likely that the threat actor convinced the victim to launch a PuTTY session and use the credentials provided in the TXT file to connect to the remote host, effectively activating the infection.

While earlier versions of the malware came with nearly 30 commands for file transfer, file management, and command execution, the latest version has been found to eschew the command-based approach in favor of plugins that are downloaded and executed in memory.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

News URL

https://thehackernews.com/2022/09/north-korean-hackers-spreading.html