• World CyberCon India
Firewall Daily

Operation Dream Job Continues, Uses Trojanized PuTTY SSH Client

Operation Dream Job, which was discovered in 2020 is operating again using a trojanized PuTTY SSH Client to backdoor media companies.

Operation Dream Job Continues, Uses Trojanized PuTTY SSH Client
  • PublishedSeptember 17, 2022

North Korean hackers have been installing backdoors on targets’ computers using trojanized versions of the PuTTY SSH client. Mandiant, a cyber threat defense solution company, released a technical analysis report “UNC4034” as the threat cluster behind this campaign (aka “Temp.Hermit” or “Labyrinth Chollima”).

Operation Dream Job continues its operation

The hackers seem to continue the “Operation Dream Job,” which was first observed earlier this June. In July 2022, Mandiant Managed Defense discovered a new spear phishing technique used by the threat cluster tracked as UNC4034 during proactive threat hunting actions at a media organization. The campaign now targets media companies using a trojanized version of the PuTTY SSH client.

According to reports, the attackers allegedly contacted targets using a phishing email containing a job offer from Amazon. Once the victim clicked on the phishing page, the threat actor would pursue the victim to a WhatsApp conversion where an ISO file called “amazon assessment.iso” was shared.

The ISO file contained a trojanized version of PuTTY with an executable file, IP address, and login information. The hackers instructed the users to open the ISO file, use the SSH tool and inside credentials to connect to the server and do a skills evaluation.

According to Mandiant, the evaluated sample could check for active RDP sessions and employ a proxy server; these features are, by default, deactivated.

AIR DRY.V2 supports the following nine commands:

  • Upload basic system information
  • Update the beacon interval based
  • Deactivate until the new start date and time
  • Upload the current configuration
  • Update the configuration
  • Keep-alive
  • Update the AES key
  • Configuration data
  • Download and execute a plugin in memory
  • The new variant of AIR DRY, as compared with the previous version, supports fewer commands.

The previous AIRDRY supported more variant commands than the new one. Moreover, the new variant’s plugin execution in memory and AES key for C2 communications are new capabilities. As per the report, the backdoor’s adaptability is unaffected by fewer allowed commands because fetching plugins from the C2 creates additional opportunities for more precise attacks.

Written By

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.