Researchers believe hackers with connections to the North Korean government have been pushing a Trojanized version of the PuTTY networking utility in an attempt to backdoor the network of organizations they want to spy on.
Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident. The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. The file was transmitted by a group Mandiant tracks as UNC4034.
“Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus,” company researchers wrote. “The AIRDRY.V2 C2 URLs belong to compromised website infrastructure previously leveraged by these groups and reported in several OSINT sources.”
The threat actors posed as people recruiting the employee for a job at Amazon. They sent the target a message over WhatsApp that transmitted a file named amazon_assessment.iso. ISO files have been increasingly used in recent months to infect Windows machines because, by default, double-clicking on them causes them to mount as a virtual machine. Among other things, the image had an executable file titled PuTTY.exe.
PuTTY is an open source secure shell and telnet application. Secure versions of it are signed by the official developer. The version sent in the WhatsApp message was not signed.
The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan’s community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.