Trojanized Versions of PuTTY Utility used to Spread Backdoor

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Researchers believe hackers with connections to the North Korean government have been pushing a Trojanized version of the PuTTY networking utility in an attempt to backdoor the network of organizations they want to spy on.

Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident. The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.v2. The file was transmitted by a group Mandiant tracks as UNC4034. "Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus," company researchers wrote. "The AIRDRY.V2 C2 URLs belong to compromised website infrastructure previously leveraged by these groups and reported in several OSINT sources." The threat actors posed as people recruiting the employee for a job at Amazon. They sent the target a message over WhatsApp that transmitted a file named amazon_assessment.iso. ISO files have been increasingly used in recent months to infect Windows machines because, by default, double-clicking on them causes them to mount as a virtual machine. Among other things, the image had an executable file titled PuTTY.exe.

PuTTY is an open source secure shell and telnet application. Secure versions of it are signed by the official developer. The version sent in the WhatsApp message was not signed.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top