North Korean hackers are using a modified, malicious version of the PuTTY SSH client to deploy a backdoor to the machines of potential job applicants for a fake job at Amazon. A well-crafted process.
The company Mandiant published a report in which this campaign attributed to the UNC4034 hacker group is described. This group is also known by other names:Temp.Hermit” et “Labyrinth Chollima“. This campaign is not new since it has been around since June 2020, but it seems to be reactivated.
To infect the victims, hackers use modified versions of PuTTY and KiTTY SSH software that contain a malicious strain. But before that, it all starts with a solicitation email that mentions an attractive job offer to work at Amazon. Then, if the user takes the bait, he is redirected to WhatsApp where the discussion continues… And where cybercriminals invite him to take a test to assess his skills. The occasion of have the user download an ISO file named “amazon_assessment.iso“.
This ISO file contains a “readme.txt” text file where you can read several information: an IP address, username and password. This information will allow the candidate to connect to a remote server in SSH, so that he do an exercise. To establish this connection, he must use the PuTTY or KiTTY SSH client, using the version integrated in the ISO image.
Although the PuTTY or KiTTY client is operational since it is based on the original version, it is actuallya modified version that includes malware named AIRDRY.V2 and which corresponds to a back door. To act discreetly, the malicious SSH client uses a vulnerability in the “colorcpl.exe” Windows tool to load the malicious DLL. Lexecution takes place in memory directly.
From the moment the backdoor is deployed on the machine, communication with a C2 server is established. AIRDRY.V2 supports communication via HTTP and SMB and requests between the infected host and the C2 server are encrypted with an AES key.
In the end, the candidate has no new job and in addition his machine is compromised…!
#PuTTY #software #deploy #backdoor