Cybercriminals trojanize PuTTY to install a backdoor on the victim’s system
North Korean cybercriminals are using a malicious version of the PuTTY SSH client. The task is to deploy the “AIRDRY.V2” backdoor on victims’ devices using a popular open-source tool.
Specialists from Mandiant spoke about attacks using PuTTY. They attribute these campaigns to UNC4034 (other names are Hermit and Labyrinth Chollima), which “specializes” in media companies.
“In July 2022, the Mandiant Managed Defense team was able to detect new spear phishing attacks, which, apparently, are the UNC4034 group,” the researchers write in the report.
Such attacks begin with emails in which the attackers offer the victim a good job at Amazon. After that, the communication is transferred to WhatsApp, where the user is sent an ISO file – “amazon_assessment.iso“.
It contains a text file “readme.txt“ and a trojanized version of PuTTY (PuTTY.exe), a popular free utility. The text file contains the IP address and credentials. Most likely, the attackers ask the victim to open the ISO file and use the data specified in the text to open an SSH connection to the host.
<img data-lazy-fallback="1" data-attachment-id="6896" data-permalink="https://cyberthreatintelligence.com/news/cybercriminals-trojanize-putty-to-install-a-backdoor-on-the-victims-system/attachment/2-86/" data-orig-file="https://cyberthreatintelligence.com/wp-content/uploads/2022/10/2-3.jpg" data-orig-size="549,221" data-comments-opened="1" data-image-title="2" data-image-description="" data-image-caption="" data-medium-file="https://cyberthreatintelligence.com/wp-content/uploads/2022/10/2-3-300×121.jpg" data-large-file="https://cyberthreatintelligence.com/wp-content/uploads/2022/10/2-3.jpg" class="alignnone size-full wp-image-6896" src="https://cyberthreatintelligence.com/wp-content/uploads/2022/10/2-3.jpg" alt="Cybercriminals trojanize PuTTY to install a backdoor on the victim’s system" width="549"