ZINC, a sub-division of the notorious North Korean Lazarus hacking group, has been weaponizing open-source software with custom malware capable of data theft, espionage, financial gain and network disruption since June 2022.
According to Microsoft threat analysts who unearthed a new phishing campaign, the malicious hackers have weaponized a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers to launch malware attacks against organizations in the aerospace, media, IT services, and defense sectors.
Hackers exploiting social media platforms
The next time you receive a text on LinkedIn, scan it twice. Microsoft warns that the APT group has been actively employing open-source software infected with trojans to target industry professionals located in India, Russia, the UK, and the USA.
The hackers pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. Once the victims are convinced to move the conversation over from LinkedIn to WhatsApp, which provides encrypted communication, the hackers moved on to the next step. During the WhatsApp conversation, the targets receive malicious software that allows ZINC to install malware on their systems.
LinkedIn’s threat prevention and defense team confirmed spotting bogus profiles designed by North Korean hackers mimicking recruiters working at prominent media, defense, and tech firms. It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016.
Attacking methodology
According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the malicious KiTTY and PuTTY applications employs a sophisticated technique to ensure that only selected targets are compromised with malware and not others.
To achieve this, the app installers do not drop malware directly but are installed only when the apps link to a specific IP address and employ login credentials given to the targets by fake recruiters.
The malicious actors also employ DLL search order hijacking to install and decrypt a second-stage payload when this key ‘0CE1241A44557AA438F27BC6D4ACA246’ is presented for command and control.
Microsoft has published the full list of IoCs (indicators of compromise) discovered during investigations in their blog post and is urging the cybersecurity community to remain vigilant, given its extensive usage and use of authentic software products.
"Zinc attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction," the company stated. “Zinc attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting."
