What is Putty?
Putty [1] is a software available for Windows users to initiate SSH and Telnet connections. The software is open source which means the code is available for the public, mainly Software Engineers, to look at and possibly contribute to future versions. This means that hackers can see under the hood as well and modify functions to their purposes.
Who is UNC4034?
The group claimed to be responsible for this compromise is UNC4034 [2]. They are also known as Hermit, Temp, or Labyrinth. This group is also known for modeling after APT29, famous for phishing campaigns. Using the ISO format is known for its ease of use once downloaded. UNC4034 appears fairly new, I am looking into any history they may have generated. UNC4034 uses the spear phishing technique to attract their victim pool. Spear phishing can be described as using emails to trick users into giving sensitive information.
The Compromise
WhatsApp is the initial contact method. After appearing as a valid job offer, individuals engage with fake job recruiters who lure victims into downloading the Putty trojan. When users have downloaded what seem to be harmless files, the Putty version available launches and operates as expected. Provided credentials from the recruiter work with no errors and this login success begins loading a backdoor. A backdoor provides the hacker access to your computer. The function that handles SSH connections is the portion of code that initiates the malicious tasks; once successful connection is made the backdoor software (known as AIRDRY.v2) is installed and the machine is compromised with the controlling portion of a C2 (Command & Control).
- Advanced Persistent Threat (APT) – is a group with a history of organized and sophisticated techniques to carry out their objectives
- [1] Putty – https://www.putty.org/
- [2] UNC4034 – Advanced Persistent Threat group exposed recently by Mandarin to be using spear phishing campaign via WhatsApp and email.
- [3] Trojan – A program that appears to be legit and/or helpful with underlying backdoor or other malicious software, in some cases a precursor to ransomware.
- Mandiant Article: https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
