During recent months, Microsoft has detected cyberattacks targeted at security researchers by an actor tracked as ZINC, who is also called the author of these attacks. Originally, the campaign was brought to the attention after Microsoft Defender for Endpoints detected an attack that was taking place in the background.
As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.
Campaigns designed to attack
Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.
• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.
• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.
• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.
Is there anyone who has been affected by the crisis?
There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.
The tactical approach to the spread of infection
A LinkedIn security team discovered Zinc impersonating recruiters from defense, technology, and media companies. This was malware that was delivered from LinkedIn to WhatsApp.
Despite this, LinkedIn immediately suspended accounts linked to suspicious or fraudulent behavior as per its policies and the accounts spotted in these attacks.
Earlier this month, Mandiant reported about an ongoing campaign related to the weaponized version of PuTTY being used by some hackers; the operation Dream Job campaign was initiated by attackers to extract information about jobs on LinkedIn using job lures.
In essence, throughout its attack campaign, Zinc targets victims all over the world with a wide range of platforms and open-source software, making it one of the most dangerous cyber threats for businesses globally.
To prevent such abuses, individuals and organizations that use open-source software should therefore ensure that they are vigilant. Whenever possible, it is highly recommended that you leverage a threat intelligence platform to find threats that are tailored to your needs.