The team of Mandiant, a Google-based security company, has discovered a new spear phishing campaign registered under the name UNC4034.
The threat is reported to be linked to a group of North Korea, which would exploit a new method of spear phishing which involves the use of a version of the PuTTY SSH and Telnet clients in which a trojan is concealed.
The victim is contacted via WhatsApp and is induced to download a compromised ISO package, under the guise of a job offer. Users who fall into the trap suffer the implementation on the system of the backdoor known as AIRDRY.V2 through a compromised version of PuTTY. You can learn more about the technique on Mandiant's official blog.
Photo Credits - Mandiant The ISO file is sold as a valid component for evaluation purposes by Amazon, the company to which the fake job offer is linked. The first contact takes place via e-mail, and then the distribution of the file is done via WhatsApp.| ); } Inside the archive, there is a text file containing an IP address and login credentials, along with a modified version of PuTTY. This loads the DAVESHELL dropper which in turn distributes the AIDRY backdoor (also known as BLINDINGCAN, already used by other North Korean hackers).
This new version of the malware that is distributed as part of the attack campaign it abandons the commands (for file transfer and management for example), moving on to the download and execution in memory of plug-ins.
Mandiant has managed to isolate and contain the attack, preventing further damage. It seems that since Microsoft blocked VBA and XLM / XLM4 macros, distributing ISO files for initial access to systems has become much more widespread.