Researchers believe that hackers with links to North Korean government have been pushing the Trojanized Version of PuTTY networking tool in a bid to hack the networks of organizations they wish to monitor.
Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident.
The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. The file was transmitted by a group Mandiant tracks as UNC4034.
“Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” company researchers wrote. “The AIRDRY.V2 C2 URLs belong to compromised website infrastructure previously leveraged by these groups and reported in several OSINT sources.”
PuTTY is an open-source secure shell application and telnet. The secure versions are authenticated by the official developer. The version that was sent in the WhatsApp message was not signed by the official developer.
Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.
The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.