Hackers associated with North Korea are using trojanized versions of the PuTTY SSH open-source terminal emulator to install backdoors on victims’ devices.
Discovered by Mandiant, the threat actor responsible for this campaign would be ‘UNC4034’ (also known as Temp.Hermit or Labyrinth Chollima).
“Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” reads an advisory published by the company on Wednesday.
The campaign, trying to trick victims into clicking on malicious files as part of a fake Amazon job assessment, would build on a previous, existing one called ‘Operation Dream Job.’
The methodology used by UNC4034 would now be evolving, according to Mandiant.
“In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034,” the company wrote.
“UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.”
The use of ISO files has become increasingly common in the delivery of both commodity and targeted malware, explained the company.
“Mandiant has observed well-known actors, such as APT29, adopting the use of ISO files to deliver their malware.”
According to the advisory, the executable embedded in each ISO file by UNC4034 is a fully functional PuTTY application but also contains malicious code that writes an embedded payload