About Me

My photo
Prameet
Prameet Nanda is a security consultant, as well as an author in Cyber-security. Prameet a BCA degree in Computer Science and worked in IT security and Web application development. He has successfully delivered and developed IT solutions for companies all over Nations. He is passionate about Technology and loves what he’s doing. After many years of experience in computer science, he has turned his attention to cyber security and the importance that security brings to this mine field. His passion to the ethical hacking mixed with his background in programming and IT makes him a wise swiss knife professional in the computer science field
View my complete profile

Contact Form

Name

Email *

Message *

North Korea-linked Hackers spreads tainted versions of PuTTY via WhatsApp

Prameet

In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers are spreading tainted versions of the PuTTY SSH and Telnet client. The attack chain starts with a fake job opportunity at Amazon sent to the victims via email. Subsequently, UNC4034 communicated with them over WhatsApp and after the communication is established with the victim over WhatsApp, then threat actors tricked victims into downloading a malicious ISO image masqueraded as a fake job.

The archive holds a text file containing an IP address and login credentials, and an a backdoored version of PuTTY that was used to load a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. AIRDRY, also known as BLINDINGCAN, is one of the backdoors used by North Korea-linked APT groups in previous attacks.

Clearly, the attackers convinced the victim to launch a PuTTY session using the credentials contained in the TXT file to connect to the remote host.

In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers are spreading tainted versions of the PuTTY SSH and Telnet client. The attack chain starts with a fake job opportunity at Amazon sent to the victims via email. Subsequently, UNC4034 communicated with them over WhatsApp and after the communication is established with the victim over WhatsApp, then threat actors tricked victims into downloading a malicious ISO image masqueraded as a fake job.

The archive holds a text file containing an IP address and login credentials, and an a backdoored version of PuTTY that was used to load a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. AIRDRY, also known as BLINDINGCAN, is one of the backdoors used by North Korea-linked APT groups in previous attacks.

Clearly, the attackers convinced the victim to launch a PuTTY session using the credentials contained in the TXT file to connect to the remote host.

-Prameet



Prameet

Posted by Prameet

Prameet Nanda is a security consultant, as well as an author in Cyber-security. Prameet a BCA degree in Computer Science and worked in IT security and Web application development. He has successfully delivered and developed IT solutions for companies all over Nations. He is passionate about Technology and loves what he’s doing. After many years of experience in computer science, he has turned his attention to cyber security and the importance that security brings to this mine field. His passion to the ethical hacking mixed with his background in programming and IT makes him a wise swiss knife professional in the computer science field