UNC4034 Trojanizing PuTTY

North Korean-based threat actors UNC4034 are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices.

The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called Operation Dream Job. The methodology used by UNC4034 would now be evolving.

During the month of July 2022, researchers identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Its established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.

The executable embedded in each ISO file by UNC4034 is a fully functional PuTTY application but also contains malicious code that writes an embedded payload on the disk and launches it. Once after the launch, a new scheduled task will get created that executes daily

This is likely one of several malware delivery techniques being employed by North Korean actors after a target has responded to a fabricated job lure.

This research was done and documented by experts from Mandiant Managed Threat Defence

Indicators Of Compromise

• 8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
• e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
• 1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266
• cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4
• aaad412aeb0f98c2c27bb817682f08673902a48b65213091534f96fe6f5494d9
• 3ac82652cf969a890345db1862deff4ea8885fe72fb987904c0283a2d5e6aac4
• 137.184.15[.]189
• https://hurricanepub[.]com/include/include.php
• https://turnscor[.]com/wp-includes/contacts.php
• https://www.elite4print[.]com/support/support.asp
• C:\ProgramData\PackageColor\colorcpl.exe
• C:\ProgramData\PackageColor\colorui.dll