North Korea weaponising open-source tools

North Korea weaponising open-source tools

Image:
North Korea weaponising open-source tools

KiTTY, PuTTY, Sumatra PDF Reader, and TightVNC are among the weaponised tools.

Hackers linked to North Korea are responsible for a new cyber campaign aiming to weaponise legitimate open-source tools.

On Thursday the Microsoft Threat Intelligence Center (MSTIC) said the campaign is still active and has already succeeded in compromising media, defence & aerospace, and IT services in the US, UK, India and Russia.

MSTIC said the gang behind the campaign is a 'sophisticated nation-state activity group', which is abusing LinkedIn to scan for potential targets. It has identitified the group as Zinc, also known as the Lazarus Group. Lazarus is best known for carrying out the catastrophic hack of Sony Pictures Entertainment in 2014.

'Due to the wide use of the platforms and software that ZINC utilises in this campaign, ZINC could pose a significant threat to individuals and organisations across multiple sectors and regions,' MSTIC researchers wrote.

The attackers have effectively penetrated a number of organisations since June, using conventional social engineering tactics.

They begin by connecting with people on LinkedIn to gain their trust. Upon a successful connection, they encourage targets to keep in touch using WhatsApp, which served as the vehicle for delivering payloads.

Following a successful breach, the threat actors traverse networks laterally before using the ZetaNile backdoor to exfiltrate data.

Microsoft claims to have seen Zinc employing a variety of open source tools, such as KiTTY, PuTTY, Sumatra PDF Reader, TightVNC and the muPDF/Subliminal Recording software installer for these attacks.

As always, we recommend downloading software from official sources rather than distributed links and packages.

Avoiding lateral infections

Two weeks ago, security company Mandiant issued a warning about North Korea-affiliated hackers using trojanised versions of PuTTY to install backdoors on targets' devices, as part of a fake Amazon job assessment.

PuTTY is well-known software that can functions as a terminal emulator, a serial console and a network file transfer application.

Mandiant said the threat actors first contact their targets through email with a tempting job offer, then move the conversation to WhatsApp. This is where they provide an ISO file, which contains a trojanised version of PuTTY and a text file with an IP address and login information.

The trojanised PuTTY and KiTTY tools that Microsoft found use a clever technique to ensure that only the targeted targets are compromised and that other devices are not unintentionally infected.

Malicious code is not executed by the app installers. Instead, the ZetaNile virus is only installed when the applications connect to a certain IP address and utilise login credentials that false recruiters offer to targets.

Microsoft provided technical indicators in its post, which organisations may use to check whether any endpoints in their networks are affected.

Additionally, it provides the IP addresses utilised throughout the campaign that administrators may add to the block lists of their respective networks.