Wave of cyber attacks from North Korea when installing open source applications

Microsoft has launched this past Thursday an important security alert after verifying that numerous organizations in sectors such as defense, communication, aerospace and IT services have seen their security compromised. The reason? North Korean government-backed hackers through pieces of open source software that Microsoft has dubbed ZINC (previously known as Lazarus)

One of the hardest hit has been PuTTY, a popular terminal emulator, console, and network file transfer application that supports protocols including SSH, rlogin, Telnet, and raw socket connection. This has suffered the so-called espionage malware which aims to steal as much information as possible from the organization, even compromising its own functioning.

Two weeks ago, the security firm Mandiant already warned about the dangers that awaited PuTTY. Where these hackers from the hermetic Asian country had attacked him with Trojans and compromising a client’s network. This same Thursday, in addition, the same cybercriminals had attacked applications such as KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording software. In all cases, the action is the same: infect them with a code that installs the espionage malware ZetaNile.

“Due to the wide use of the platforms and software it attacks, ZINC could pose a significant threat to individuals and organizations across multiple industries and regions,” the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams have posted. It should be remembered that ZINC / Lazarus already seriously affected Sony Pictures Entertainment in 2014 and other open source applications with other highly encrypted code options which ultimately ends up installing spy malware.

This is how hackers from North Korea act

The modus operandi that ZINC follows and as reported by Microsoft, is the same. Hackers pose as recruiters for bogus jobs. They connect with people from specific organizations through Linkedin. After reaching a degree of trust, they are asked to speak on WhatsApp from where the hackers instruct the false candidates to install certain applications, thus getting them to infect the different work environments.

The group is mainly based on the spear phishing to attack victims, but also uses other forms of social engineering and website compromise. As in this case, by tricking or coercing them into installing Trojan software on their work devices.

In attacked applications such as PuTTY and KiTTY, Microsoft observed that cybercriminals use an intelligent mechanism to ensure that only certain targets are infected. The application installers do not execute any malicious code, however ZetaNile malware is installed only when applications connect to a specific IP address and use login credentials that fake recruiters give to victims.

One of the most common techniques used is the DLL search order hijacking, which loads and decrypts a second-stage payload when presented with the key “0CE1241A44557AA438F27BC6D4ACA246” for use as command and control. Once successfully connected to the C2 server, attackers can install additional malware on the compromised device.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *