Researchers believe that hackers with links to North Korean government have been pushing the Trojanized Version of PuTTY networking tool in a bid to hack the networks of organizations they wish to monitor.
Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident.
The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. The file was transmitted by a group Mandiant tracks as UNC4034.
“Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” company researchers wrote. “The AIRDRY.V2 C2 URLs belong to compromised website infrastructure previously leveraged by these groups and reported in several OSINT sources.”
PuTTY is an open-source secure shell application and telnet. The secure versions are authenticated by the official developer. The version that was sent in the WhatsApp message was not signed by the official developer.
Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.
The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.
IOCS
90adcfdaead2fda42b9353d44f7a8ceb
6d1a88fefd03f20d4180414e199eb23a
8368bb5c714202b27d7c493c9c0306d7
18c873c498f5b90025a3c33b17031223
c650b716f9eb0bd6b92b0784719081cd
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment