North Korea-linked threat actors, including the Lazarus Group, have been detected leveraging a novel spear phishing methodology that involves the use of trojanized versions of the PuTTY SSH and Telnet client. Researchers at Mandiant observed an attack that started with a fake job lure via email, which led to the attacker sending a fake “job assessment” in the form of an ISO file over WhatsApp. This ISO file contained an IP to connect to, logon credentials, and an altered version of the PuTTY application. When executed, this PuTTY application loaded a dropper called DAVESHELL, which then deployed a variant of a backdoor known as AIRDRY that has been seen used by North Korean actors in the past. This version of AIRDRY then downloaded plugins that were executed in memory in order to conduct their post-compromise activity in lieu of the typical command-based approach seen by past variants of this backdoor.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.