Researchers believe that hackers with ties to the North Korean government were pressing the Trojans version of the PuTTY networking utility in an attempt to hide the network of the organizations they want to spy on.
Researchers from the security company Mandiant He said on Thursday That at least one customer serving it has an employee who accidentally installed the fake network tool. The accident hit the employer with a backdoor that the researchers tracked down with the name Airdry.v2. The file was sent by the Mandiant Pathgroup as UNC4034.
“Mandiant has identified several overlaps between UNC4034 and threat groups that we suspect are related to North Korea,” the company’s researchers wrote. “The AIRDRY.V2 C2 URLs belong to the hacked website infrastructure that these groups have previously taken advantage of and have been reported in various OSINT sources.”
Threats are represented as people recruiting an employee for a job at Amazon. They sent the target a message via WhatsApp that transmitted a file called amazon_assessment.iso. ISO files have been increasingly used in recent months to infect Windows devices because double-clicking on them defaults to mount them as a default device. Among other things, the image contained an executable file titled PuTTY.exe.
PuTTY is an open source secure wrapper and telnet application. Safe versions of it are signed by the official developer. The copy sent in the WhatsApp message is not signed.
The executable installed the latest version of Airdry, a backdoor attributed to the North Korean government by the United States government. The US Agency for Cyber Security and Infrastructure Security has a description over here. The Japanese community’s emergency response team has this is The description of the tailgate, which is also tracked as BLINDINGCAN.