In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers are spreading tainted versions of the PuTTY SSH and Telnet client.
The attack chain starts with a fake job opportunity at Amazon sent to the victims via email. Subsequently, UNC4034 communicated with them over WhatsApp and after the communication is established with the victim over WhatsApp, then threat actors tricked victims into downloading a malicious ISO image masqueraded as a fake job.
The archive holds a text file containing an IP address and login credentials, and an a backdoored version of PuTTY that was used to load a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. AIRDRY, also known as BLINDINGCAN, is one of the backdoors used by North Korea-linked APT groups in previous attacks.
Clearly, the attackers convinced the victim to launch a PuTTY session using the credentials contained in the TXT file to connect to the remote host.
