North Korea-linked threat actors, including the Lazarus Group, have been detected leveraging a novel spear phishing methodology that involves the use of trojanized versions of the PuTTY SSH and Telnet client. Researchers at Mandiant observed an attack that started with a fake job lure via email, which led to the attacker sending a fake “job assessment” in the form of an ISO file over WhatsApp. This ISO file contained an IP to connect to, logon credentials, and an altered version of the PuTTY application. When executed, this PuTTY application loaded a dropper called DAVESHELL, which then deployed a variant of a backdoor known as AIRDRY that has been seen used by North Korean actors in the past. This version of AIRDRY then downloaded plugins that were executed in memory in order to conduct their post-compromise activity in lieu of the typical command-based approach seen by past variants of this backdoor.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security