Mandiant analysts have warned of a backdoor-infected version of the PuTTY utility, presumably created by North Korean hackers from the UNC4034 group (aka Temp.Hermit or Labyrinth Chollima). Apparently, a malicious version of PuTTY is being used to break into organizations that are of interest to attackers.
Let me remind you that we also wrote that Pirated Software Like Hacked 3DMark Is Used to Distribute RedLine Infostealer, and also that North Korean Hackers Attack Small and Medium Businesses with H0lyGh0st Ransomware.
Typically, such attacks start with the attackers contacting their targets via email and making them a tempting offer, ostensibly offering them a job at Amazon. The hackers then send a WhatsApp message to the victim sharing the amazon_assessment.iso file. Recently, ISO files have been increasingly used to infect Windows machines, because double-clicking on them mounts them by default.
The ISO includes a text file (readme.txt) containing an IP address and login credentials, as well as a malicious version of PuTTY (PuTTY.exe). Interestingly, according to Bleeping Computer, hackers also use the KiTTY SSH client (a fork of PuTTY) in their attacks, and in such cases the file name will be Amazon-KiTTY.exe.
It is not yet clear exactly how the dialogue between the attackers and the victims is built, but it seems that the hackers convinced the victims to open the ISO image and use the suggested SSH tool and credentials to connect to the host in order to undergo some testing.
Although the malicious version of PuTTY was equipped with a malicious payload, it was fully functional (because it was compiled from a legitimate version of the program). But the researchers pay attention to the fact that the legitimate versions of PuTTY are signed by the developer, but the hacker versions are not.
The Mandiant report states that the hackers modified the connect_to_host() function so that a successful SSH connection using the supplied credentials would deploy the malicious DAVESHELL shellcode in DLL format (colorui.dll) packaged with Themida.
To make the launch of the shellcode invisible, the malicious PuTTY uses a vulnerability in colorcpl.exe, and DAVESHELL acts as a dropper for the final payload, the AIRDRY.V2 backdoor, which runs directly in memory.
General scheme of attack
Although the backdoor has the ability to use a proxy server and track active RDP sessions, the version studied by Mandiant has these features disabled by default. So, the updated AIRDRY.V2 supports only nine commands:
- download basic information about the system;
- update the beacon interval based on the values provided by the control server;
- deactivate before the new date and time;
- load the current configuration;
- update configuration;
- keep active;
- update beacon interval based on configuration values;
- update the AES key used to encrypt C&C requests and configuration data;
- load and run the plugin in memory.
According to the researchers, compared to the previous version of AIRDRY, the new version supports fewer commands, but execution in memory and updating the AES key to communicate with the control server are new features for it.