An attack using a new spear phishing tactic that makes use of trojanized variants of the PuTTY SSH and Telnet client has been discovered with a North Korea link.
The malicious actors identified by Mandiant as the source of such effort is 'UNC4034', also referred to as Temp.Hermit or Labyrinth Chollima. Mandiant asserted that the UNC4034 technique was currently changing.
UNC4034 made contact with the victim via WhatsApp and tricked them into downloading a malicious ISO package in the form of a bogus job offer. This caused the AIRDRY.V2 backdoor to be installed via a trojanized PuTTY instance.
As part of a long-running operation called Operation Dream Job, North Korean state-sponsored hackers frequently use fake job lures as a means of spreading malware. One such group is the Lazarus Group.
The ios file had a bogus amazon job offer which was the entry point for hackers to breach data. After making initial contact via email, the file was exchanged over WhatsApp.
The archive itself contains a text file with an IP address and login information, as well as a modified version of PuTTY that loads a dropper named DAVESHELL that installs a newer version of a backdoor known as AIRDRY.
The threat actor probably persuaded the victim to open a PuTTY session and connect to the remote host using the credentials listed in the TXT file, therefore initiating the infection. Once the program has been launched, it makes an effort to persist by adding a new, scheduled task every day at 10:30 a.m. local time.
After a target responds to a fake job lure, the criminals may use a variety of malware delivery methods, according to Mandiant.
The most recent version of the virus has been found to forego the command-based method in favor of plugins which are downloaded and processed in memory, in contrast to prior versions of the malware that included roughly 30 commands for transferring files, file systems, and command execution.
Several technical indicators are also included in the Mandiant alert to aid businesses in identifying UNC4034-related activities. Days before its publication, US authorities confiscated $30 million in North Korean cryptocurrency that had been stolen.
