North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets’ devices as part of a fake Amazon job assessment.
A novel element in this campaign is the use of a trojanized version of the PuTTY and KiTTY SSH utility to deploy a backdoor, which in this case, is ‘AIRDRY.V2’.
According to Mandiant technical report published today, the threat cluster responsible for this campaign is ‘UNC4034’ (aka “Temp.Hermit” or “Labyrinth Chollima”).
The group’s latest activities appear to be a continuation of the ‘Operation Dream Job‘ campaign, which has been ongoing since June 2020, this time targeting media companies.
“In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034,” explained Mandiant.
Using the PuTTY SSH client to drop malware
The attack starts with threat actors approaching their targets via email with a lucrative job offer at Amazon and then take communication to WhatsApp, where they share an ISO file (“amazon_assessment.iso”).
The ISO includes a text file (“readme.txt”) containing an IP address and login credentials and a trojanized version of PuTTY (PuTTY.exe), a very popular open-source SSH console application.
While it is unclear what discussions occurred between the threat actors and victims, the hackers likely told the victim to open the ISO and use the enclosed SSH tool and credentials to connect to the host and perform a skills assessment.
However, the PuTTY shared by the hackers was modified to include a malicious payload in its data section, making the tampered version significantly larger than the legitimate version.
As the PuTTY executable was compiled from the legitimate program, it is fully functional and looks exactly like the legitimate version.
However, the hackers modified PuTTY’s connect_to_host() function so that on an SSH successful connection using the enclosed credentials, the program deploys a malicious DAVESHELL shellcode payload in the form of a DLL (“colorui.dll”) packed with Themida.
To make the launch of the shellcode stealthy, the malicious PuTTY uses a search order hijacking vulnerability in “colorcpl.exe,” the legitimate Windows Color Management tool, to load the malicious DLL.
DAVESHELL operates as the dropper of the final payload, the AIRDRY.V2 backdoor malware, which is executed directly in memory.
AIRDRY.V2 can communicate via HTTP, file, or SMB over a named pipe, trying to connect to one of the three hard-coded C2 addresses five times before going to a 60-second sleep.
While the backdoor has the technical capacity to use a proxy server and monitor for active RDP sessions, the version examined by Mandiant has these features disabled by default.
The commands supported by AIRDRY.V2 are the following nine:
Upload basic system information
Update the beacon interval based on a value provided by the C2 server
Deactivate until new start date and time
Upload the current configuration
Update the configuration
Update the beacon interval based on a value in the configuration
Update the AES key used to encrypt C2 requests and configuration data
Download and execute a plugin in memory
Compared to the previous version of AIRDRY, the new variant supports fewer commands, but the plugin execution in memory and updating the AES key for C2 communications are new capabilities.
Reducing the number of supported commands doesn’t impact the backdoor’s versatility because fetching plugins from the C2 opens up new potential for more surgical attacks.
To check for trojanized versions of PuTTY, you can look at the properties of the executable and make sure that it is digitally signed by ‘Simon Tatham.’
Unfortunately, the legitimate KiTTY program is not normally signed by the developer and should instead be uploaded to a virus scanning service, such as VirusTotal, to check for malicious detections.