"North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application"

A threat with a North Korean connection has been discovered using a novel spear phishing method involving trojanized versions of the PuTTY SSH and telnet client. Mandiant researchers attributed the new campaign to an emerging threat cluster tracked as UNC4034. According to the researchers, UNC4034 communicated with the victim via WhatsApp and enticed them to download a malicious ISO package with a fake job offer, which resulted in the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility. The use of fake job offers for malware distribution is a common tactic employed by North Korean state-sponsored actors, including the Lazarus Group, as part of the ongoing Operation Dream Job campaign. The attack begins with an ISO file posing as an Amazon Assessment as part of a potential job opportunity at the company. After making initial contact via email, the file is shared via WhatsApp. The archive, for its part, contains a text file that has an IP address and login credentials, as well as an altered version of PuTTY, which loads a dropper called DAVESHELL. This dropper deploys a newer variant of the AIRDRY backdoor. The threat actor most likely persuades the victim to launch a PuTTY session and connect to the remote host using the credentials provided in the text file, effectively activating the infection. North Korean-linked hackers have previously used AIRDRY, also known as BLINDINGCAN, to target US defense contractors and entities in South Korea and Latvia. This article continues to discuss the new campaign involving trojanized versions of the PuTTY SSH and telnet client.

THN reports "North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application"