Lazarus Group Affiliate Uses Trojan Open Source Apps in New Campaigns
The North Korean attack group responsible for the compromise of Sony Pictures Entertainment and numerous other operations has conducted long-term phishing campaigns that rely on social engineering and spoofing, and provide trojanized versions of legitimate open source applications to compromise targets in technology, media, and other companies.
The the campaigns are the work of a threat actor that Microsoft calls ZINC and is affiliated with the Lazarus Group, a highly active threat actor that performs cyber espionage and other operations. The group has targeted a wide range of businesses over the past decade and is known to use a variety of tools and malware. In the new campaigns, Microsoft researchers saw the actor using an implant called ZetaNile, which ZINC actors inserted into copies of several legitimate open-source tools, including PuTTY and KiTTY SSH clients.
“Both utilities provide terminal emulator support for various network protocols, making them attractive programs for people commonly targeted by ZINC. Militarized versions were often delivered as compressed ZIP archives or ISO files In this archive, the recipient receives a ReadMe.txt file and an executable file to run,” Microsoft Threat Intelligence and LinkedIn Threat Prevention and Defense researchers said in an analysis of recent campaigns.
“As part of the evolution of ZINC malware development, and in an effort to evade traditional defenses, running the included executable does not remove the ZetaNile implant. In order for ZetaNile to be deployed, the ssh utility requires the IP address provided in the ReadMe.txt file.
One of the key elements of the campaigns is the use of LinkedIn personas as initial awareness vectors for victims. ZINC actors create fake people on LinkedIn, posing as recruiters at defense, tech, or entertainment companies, then trick the victims into moving the conversations to WhatsApp. ZINC actors would at some point provide the compromised ZetaNile application to victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking to load a malicious DLL onto the victim’s machine.
Over the past few weeks, ZINC has also used a trojanized version of the TightVNC Viewer remote administration application, as well as two PDF readers, Sumatra PDF and muPDF/Subliminal Recording installer.
“As part of the threat actor’s latest malware technique to evade traditional defenses, the malicious TightVNC viewer has a pre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects ec2-aet-tech.w-ada[.]amazonaws from the TightVNC Viewer drop-down menu,” the scan reads.
ZINC/Lazarus forwards have shown tenacity and the ability to innovate and change their tactics as needed over the years. Despite an intense focus on the group’s activities in both the research and law enforcement communities, the group continued to conduct operations against significant targets. Organizations targeted by the group in recent campaigns were in the US, UK, Russia and India.