North Korean-based threat actors UNC4034 are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices.
The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called Operation Dream Job. The methodology used by UNC4034 would now be evolving.
During the month of July 2022, researchers identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Its established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.
The executable embedded in each ISO file by UNC4034 is a fully functional PuTTY application but also contains malicious code that writes an embedded payload on the disk and launches it. Once after the launch, a new scheduled task will get created that executes daily
This is likely one of several malware delivery techniques being employed by North Korean actors after a target has responded to a fabricated job lure.
This research was done and documented by experts from Mandiant Managed Threat Defence
Indicators Of Compromise
- 8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
- e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0
- 1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266
- cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4
- aaad412aeb0f98c2c27bb817682f08673902a48b65213091534f96fe6f5494d9
- 3ac82652cf969a890345db1862deff4ea8885fe72fb987904c0283a2d5e6aac4
- 137.184.15[.]189
- https://hurricanepub[.]com/include/include.php
- https://turnscor[.]com/wp-includes/contacts.php
- https://www.elite4print[.]com/support/support.asp
- C:\ProgramData\PackageColor\colorcpl.exe
- C:\ProgramData\PackageColor\colorui.dll
