Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment.
The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.
The PuTTY and KiTTY SSH clients were also used to backdoor targets' devices in fake job skills assessments,
as reported by Mandiant this month.
This trojanized software was used in social engineering attacks from late April to mid-September 2022 and primarily focused on engineers and technical support professionals working at IT and media organizations in the UK, India, and the U.S.
The attackers created "fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware," Microsoft
said.
"Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies."
After the targets were tricked into downloading the weaponized software to deploy the malware on their systems, the Lazarus operators used the backdoor for lateral movement and network discovery, with the end goal of stealing sensitive info.
