Security firm Mandiant reports that North Korean hacker group NC4034 (aka Temp.Hermit or Labyrinth Chollima) used Trojanized PuTTY and KiTTY SSH clients in a phishing attack targeting media companies. PuTTY and its fork KiTTY are popular open source SSH clients. The attackers first emailed the target with an Amazon job offer, and then followed up via WhatsApp, sending a file called amazon_assessment.iso, which contained an IP address and login credentials, as well as a Trojanized version of PuTTY (PuTTY.exe), The attacker tricks the victim into opening the file to run the Trojan version for skill assessment. But this version contains a malicious payload that deploys DAVESHELL and then installs the backdoor AIRDRY.V2.
This article is reprinted from: https://www.solidot.org/story?sid=72786
This site is for inclusion only, and the copyright belongs to the original author.