[MART] - Daily Diary #596 - Threat Actors Trojanize PuTTY SSH Client

ctas-mat at appgate.com ctas-mat at appgate.com
Fri Sep 16 20:56:41 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/16/2022 - Diary entry #596:

Recently, a spear phishing attack was identified as being employed by a North Korean threat group. Tracked as UNC4034, also known as Temp.Hermit or Labyrinth Chollima, the group is using trojanized versions of the PuTTY SSH and KiTTY SSH clients to implement backdoors like AIRDRY.V2 on targets' devices as part of a fake Amazon job opportunity sent via email.

After threat actors approach their targets via email, they take the communication to WhatsApp, where they share an ISO file ("amazon_assessment.iso"), which embeds a Trojan horse version of PuTTY (PuTTY.exe) and a “readme“ text file containing an IP address and login credentials.

By identifying a successful SSH connection using the attached credentials, it implements the DAVESHELL malicious payload and drops the AIRDRY.V2 backdoor malware, (also known as BLINDINGCAN) which runs directly in memory to communicate with the C2 server, via HTTP, file, or SMB.

The AIRDRY.V2, a new variant of AIRDRY backdoor, disabled some of AIRDRY features and extended new ones by supporting the execution of plugins downloaded from the C2 server directly in memory and allowing the threat to auto-updating its configurations.

That's why to protect against this attack, we recommend users not execute unknown software or trust emails and social media platforms that pose as legitimate companies and post fake job ads.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team


E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220916/05f86be1/attachment.htm>

More information about the MART mailing list