North Korean hackers have been installing backdoors on targets’ computers using trojanized versions of the PuTTY SSH client. Mandiant, a cyber threat defense solution company, released a technical analysis report “UNC4034” as the threat cluster behind this campaign (aka “Temp.Hermit” or “Labyrinth Chollima”).
Operation Dream Job continues its operation
The hackers seem to continue the “Operation Dream Job,” which was first observed earlier this June. In July 2022, Mandiant Managed Defense discovered a new spear phishing technique used by the threat cluster tracked as UNC4034 during proactive threat hunting actions at a media organization. The campaign now targets media companies using a trojanized version of the PuTTY SSH client.
According to reports, the attackers allegedly contacted targets using a phishing email containing a job offer from Amazon. Once the victim clicked on the phishing page, the threat actor would pursue the victim to a WhatsApp conversion where an ISO file called “amazon assessment.iso” was shared.
The ISO file contained a trojanized version of PuTTY with an executable file, IP address, and login information. The hackers instructed the users to open the ISO file, use the SSH tool and inside credentials to connect to the server and do a skills evaluation.
According to Mandiant, the evaluated sample could check for active RDP sessions and employ a proxy server; these features are, by default, deactivated.
AIR DRY.V2 supports the following nine commands:
- Upload basic system information
- Update the beacon interval based
- Deactivate until the new start date and time
- Upload the current configuration
- Update the configuration
- Keep-alive
- Update the AES key
- Configuration data
- Download and execute a plugin in memory
- The new variant of AIR DRY, as compared with the previous version, supports fewer commands.
The previous AIRDRY supported more variant commands than the new one. Moreover, the new variant’s plugin execution in memory and AES key for C2 communications are new capabilities. As per the report, the backdoor’s adaptability is unaffected by fewer allowed commands because fetching plugins from the C2 creates additional opportunities for more precise attacks.