New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems

  • Hackers associated with North Korea are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices.

    Discovered by Mandiant, the threat actor responsible for this campaign would be ‘UNC4034’ (also known as Temp.Hermit or Labyrinth Chollima).

    “Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” reads an advisory published by the company on Wednesday.

    The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called ‘Operation Dream Job.’

    The methodology used by UNC4034 would now be evolving, according to Mandiant.

    “In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034,” the company wrote.

    “UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.”

    The use of ISO files has become increasingly common in the delivery of both commodity and targeted malware, explained the company.

    “Mandiant has observed well-known actors, such as APT29, adopting the use of ISO files to deliver their malware.”

    According to the advisory, the executable embedded in each ISO file by UNC4034 is a fully functional PuTTY application but also contains malicious code that writes an embedded payload on the disk and launches it.

    After launch, the program attempts to establish persistence by creating a new, scheduled task daily at 10:30 AM local time.

    “This is likely one of several malware delivery techniques being employed by North Korean actors after a target has responded to a fabricated job lure,” Mandiant wrote. “Recent public reporting also details the usage of other social media platforms to pose as legitimate companies and post fake job advertisements that target cryptocurrency developers.”

    The advisory also includes several technical indicators to help companies spot UNC4034-related activity. Its publication comes days after US authorities seized $30m in stolen cryptocurrency from North Korea.