The North Korean attack group responsible for the compromise of Sony Pictures Entertainment and many other operations has been running long-term phishing campaigns that rely on social engineering and impersonation, and deliver trojanized versions of legitimate open source applications to compromise targets inside technology, media, and other companies.
The campaigns are the work of a threat actor that Microsoft calls ZINC and is affiliated with the Lazarus group, a highly active threat actor that performs cyber espionage and other operations. The group has targeted a wide range of companies in the past decade, and is known to use a variety of tools and piece of malware. In the new campaigns, Microsoft researchers saw the actor using an implant called ZetaNile, which ZINC actors have inserted into copies of several legitimate open source tools, including the PuTTY and KiTTY SSH clients.
“Both utilities provide terminal emulator support for different networking protocols, making them attractive programs for individuals commonly targeted by ZINC. The weaponized versions were often delivered as compressed ZIP archives or ISO files. Within that archive, the recipient is provided a ReadMe.txt and an executable file to run,” the researchers with Microsoft Threat Intelligence and LinkedIn Threat Prevention and Defense said in an analysis of the recent campaigns.
“As part of the evolution of ZINC’s malware development, and in an effort to evade traditional defenses, running the included executable does not drop the ZetaNile implant. For ZetaNile to be deployed, the SSH utility requires the IP provided in the ReadMe.txt file.”
One key piece of the campaigns is the use of LinkedIn personas as initial outreach vectors for victims. ZINC actors create fake persons on LinkedIn, posing as recruiters at defense, tech, or entertainment companies, and then luring the victims into moving the conversations onto WhatsApp. ZINC actors would at some point deliver the ZetaNile-compromised application to the victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY, too. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking in order to load a malicious DLL onto the victim’s machine.
In the last few weeks, ZINC also has been using a trojanized version of the TightVNC Viewer remote administration application, as well as two PDF readers, Sumatra PDF and muPDF/Subliminal Recording installer.
“As part of the threat actor’s latest malware technique to evade traditional defenses, the malicious TightVNC Viewer has a pre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu in the TightVNC Viewer,” the analysis says.
The ZINC/Lazarus group attackers have shown tenacity and the ability to innovate and shift their tactics as needed over the years. Despite intense focus on the group’s activities fro both the research and law enforcement communities, the group has continued to run operations against significant targets. The organizations that the group targeted in the recent campaigns were in the United State, UK, Russia, and India.