In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers are spreading tainted versions of the PuTTY SSH and Telnet client. The attack chain starts with a fake job opportunity at Amazon sent to the victims via email. Subsequently, UNC4034 communicated with them over WhatsApp and after the communication is established with the victim over WhatsApp, then threat actors tricked victims into downloading a malicious ISO image masqueraded as a fake job.
The archive holds a text file containing an IP address and login credentials, and an a backdoored version of PuTTY that was used to load a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. AIRDRY, also known as BLINDINGCAN, is one of the backdoors used by North Korea-linked APT groups in previous attacks.
Clearly, the attackers convinced the victim to launch a PuTTY session using the credentials contained in the TXT file to connect to the remote host.
“The initial lead was a file downloaded to the host named amazon_assessment.iso. ISO and IMG archives have become attractive to threat actors because, from Windows 10 onwards, double-clicking these files automatically mounts them as a virtual disk drive and makes their content easily accessible.” Reads the post published by Mandiant. “Detecting malicious IMG and ISO archives served via phishing attachments is routine for Mandiant Managed Defense. The payloads contained within such archives range from commodity malware to advanced backdoors like the sample analyzed in this blog post.”
Experts pointed out that earlier versions of AIRDRY supported numerous backdoor commands, including file transfer, file management, and command execution. The most recent version replaces the traditional backdoor commands with a plugin-based approach that supports multiple communication modes.
Experts published Indicators of Compromise (IoCs) and MITRE ATT&CK Mapping for this campaign.
The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.
The shift is also attributable to Microsoft’s decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.
(SecurityAffairs – hacking, North Korea)