Where data is home
Where Data is Home

North Korean Hackers Exploit Putty Ssh Client For Backdoor Deployment

Personal Safety Tips
By Editor
Securing IoT Devices
0 31

The purpose of this article is to provide an overview of the recent activities of North Korean hackers, specifically the threat group UNC4034, who have been exploiting the PuTTY SSH client to deploy backdoors on targeted devices. This campaign, known as Operation Dream Job, has been ongoing since June 2020 and primarily targets media companies. The hackers employ a deceptive strategy by posing as fake Amazon job applications to lure victims into the attack. The initial communication takes place over WhatsApp, where a file named ‚amazon_assessment.iso‘ is shared, containing a trojanized version of the PuTTY executable. Once the SSH connection is established, a DAVESHELL shellcode payload is executed, dropping the AIRDRY.V2 backdoor malware into memory. The backdoor allows the hackers to perform various actions, such as uploading system information, updating configurations, and executing plugins. It is crucial for users to verify the authenticity of PuTTY to prevent the deployment of trojanized versions. Mandiant, a cybersecurity firm, has attributed this campaign to UNC4034.

Key Takeaways

  • North Korean hackers, specifically the threat group UNC4034, have been deploying backdoors on targets‘ devices.
  • The hackers are using trojanized versions of the PuTTY SSH client, disguising them as fake Amazon job applications.
  • The initial attack involves sending lucrative job offer emails, luring victims into the attack, and initiating communication via WhatsApp, where a file named ‚amazon_assessment.iso‘ is shared.
  • The trojanized PuTTY executable, named ‚Amazon-KiTTY[.]exe‘, contains a malicious payload and significant size differences compared to the legitimate version. The payload includes the DAVESHELL shellcode, which drops the AIRDRY.V2 backdoor malware into memory.

Adversaries and Campaign Details

The adversaries involved in the campaign, identified as North Korean hackers and associated with threat group UNC4034, have been deploying backdoors on targets‘ devices using trojanized versions of the PuTTY SSH client, while posing as fake Amazon job applications and primarily targeting media companies since June 2020. This campaign has had a significant impact on the targeted media companies, as they have become victims of unauthorized access and potential data breaches. To prevent the deployment of trojanized versions of PuTTY, countermeasures should be implemented. These may include verifying the authenticity of the PuTTY binary by checking if it is digitally signed by Simon Tatham and ensuring that the PuTTY version is not trojanized. It is crucial for media companies to take these countermeasures to protect their systems and sensitive information from being compromised.

Initial Attack Steps

Initiating communication via WhatsApp is one of the initial steps taken in the attack process. The hackers lure their victims by sending lucrative job offers through email and then continue the conversation on WhatsApp. This social engineering tactic aims to establish trust and make the victims more susceptible to the attack. To further exploit the victims, the hackers share a file named ‚amazon_assessment.iso‘ through WhatsApp, which includes a text file, IP address, login credentials, and the trojanized PuTTY SSH client.

To protect against trojanized software like the malicious PuTTY executable used in this attack, organizations can implement mitigation strategies. These strategies include verifying the authenticity of the software by checking for digital signatures and ensuring the correct version. Additionally, user education and awareness about social engineering techniques can help individuals recognize and avoid falling victim to such attacks.

Trojanized PuTTY Executable

One notable aspect of the attack involves the modification of the PuTTY executable, specifically in the connect_to_host() function. The hackers behind the campaign, known as UNC4034, have trojanized the PuTTY SSH client by compiling a fully functional PuTTY executable with a malicious payload installed. This trojanized version, named ‚Amazon-KiTTY[.]exe‘, disguises itself as a legitimate version of PuTTY. One way to detect and prevent the use of trojanized software is by verifying the authenticity of the PuTTY binary, ensuring it is digitally signed by Simon Tatham and confirming that the version is not tampered with. The implications of using legitimate software for malicious purposes highlight the need for stringent security measures to prevent the deployment of trojanized versions that can be exploited by threat actors.

DAVESHELL Payload

The modification of the PuTTY executable allows adversaries to execute the DAVESHELL payload, which drops the final payload into memory, consisting of the AIRDRY.V2 backdoor malware, enabling the threat actors to establish persistent access to the compromised system. The DAVESHELL shellcode payload plays a crucial role in this process, as it is responsible for executing the backdoor malware upon establishing an SSH connection. To counter this threat, organizations can implement various countermeasures and detection techniques. These include regularly verifying the authenticity of PuTTY binaries by checking for digital signatures from the legitimate developer, Simon Tatham. Additionally, organizations should employ robust endpoint security solutions that can detect and block the presence of the AIRDRY.V2 backdoor malware, as well as monitor network traffic for any suspicious activity associated with the malware’s command and control infrastructure.

Backdoor Command IDs

The command IDs associated with the backdoor malware provide adversaries with a range of capabilities to gather system information, update configurations, and maintain persistence, allowing them to manipulate and control the compromised system with ease. These command IDs serve as instructions for the backdoor to carry out specific actions. Command ID 0x2009 enables the upload of basic system information, while Command ID 0x2028 updates the beacon interval based on the C2 server value. Command ID 0x2029 deactivates the backdoor until a new start date and time, and Command ID 0x2031 uploads the current configuration. Command ID 0x2032 is used to update the configuration. Additional command IDs include 0x2037 for keep-alive, 0x2038 for updating the beacon interval based on the configuration, 0x2052 for updating the AES key for encryption, and 0x2057 for downloading and executing plugins in memory. The flexibility of the backdoor is not compromised by the reduced command support, as it still provides adversaries with significant control over the compromised system. The analysis of these command IDs reveals the level of control and manipulation that adversaries can exert over the compromised system, highlighting the evolving nature of backdoor malware and its implications for cybersecurity.

Frequently Asked Questions

What are some other methods used by North Korean hackers to deploy backdoors on targets‘ devices?

Social engineering techniques and exploiting software vulnerabilities are commonly used by hackers to deploy backdoors on targets‘ devices. These methods involve manipulating individuals through deception and exploiting weaknesses in software systems to gain unauthorized access.

How do the hackers lure victims into the attack through the fake Amazon job applications?

Hackers exploit fake job applications by luring victims into the attack. They entice victims with lucrative job offers, initiating communication through WhatsApp. Red flags in these applications include suspicious file attachments and requests for personal information.

What are the differences between the trojanized version of PuTTY SSH client and the legitimate version?

The trojanized version of PuTTY SSH client differs from the legitimate version in several ways. It has a significantly larger file size, contains a modified connect_to_host() function, and includes a malicious payload. These differences highlight potential vulnerabilities in the PuTTY SSH client.

How does the DAVESHELL payload work and what is its purpose?

The DAVESHELL payload is executed upon an SSH connection and drops the AIRDRY.V2 backdoor malware into memory. It allows hackers to perform various commands, such as uploading system information and updating configurations. Social engineering plays a role in deploying the payload. Countermeasures include verifying PuTTY’s authenticity and implementing strong security measures to prevent backdoor attacks.

Are there any specific industries or types of companies that the UNC4034 threat group targets?

The UNC4034 threat group targets various industries and companies, particularly media companies. Their ongoing activities have significant implications for cybersecurity. By understanding their targets, the impact of the UNC4034 threat group can be better assessed and mitigated.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More