Microsoft warns that the North Korean threat actor the company tracks as “ZINC” targets engineers and tech support workers working in “media, defense and aerospace, and IT services in the United States.” United States, United Kingdom, India and Russia”. The threat author uses malicious versions of open source applications, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and muPDF/Subliminal Recording. Microsoft believes the campaign is “driven by traditional cyber espionage, theft of personal and corporate data, financial gain, and destruction of the corporate network.”
Phishing from LinkedIn was observed in the campaign.
Duo Security Decryption Remarks that ZINC uses LinkedIn to contact potential victims, then switches to WhatsApp to send the malware: “A key part of the campaigns is the use of LinkedIn personas as initial outreach vectors for victims. ZINC actors create fake people on LinkedIn, posing as recruiters at defense, tech, or entertainment companies, then trick the victims into moving the conversations to WhatsApp. ZINC actors would at some point provide the compromised ZetaNile application to victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking to load a malicious DLL onto the victim’s machine.
Recognize malicious code in the software supply chain.
Jeff Williams, co-founder and CTO of Contrast Security notes that it’s not easy to find malicious code in the software supply chain. “Detecting malicious code in an open source library is extremely difficult,” he wrote. “Attackers can easily infiltrate open source projects, use pseudonyms, and hide their attacks in commits that also include valuable features and bug fixes. These attacks can be as small as a single seemingly innocuous line of code, but surreptitiously allow full control of machines running trojaned applications in this manner. The more obvious means of looking for malicious code are likely, in such contexts, to be less than fully effective. “A simple application security scan, pentesting, firewalling and SBOMing will not uncover these infections or prevent their exploitation. Although we have known about these issues for over a decade, little has been done. Unfortunately, in the wake of SolarWinds, attackers have finally started to take advantage of this attack vector, and we are completely unprepared for it.
Lazarus gets high marks as a threat actor (and that’s not a good thing).
Tom Kellerman, senior vice president of cyber strategy at Contrast Security, wrote to reluctantly give the Lazarus Group good reviews: “Lazarus is Team A of North Korean hacker teams. They raised their game for a while. This attack could become a perfect storm as rogue nation states and cyber crime cartels could adopt this chain of destruction, thus poisoning open source software globally. Enterprises need to deploy intelligent execution protection and immediately tis any third-party open source code moving through their supply chains.”