Hackers Weaponize PuTTY SSH

The adversaries from North Korea are deploying critical backdoors on the devices of targets by using trojanized versions of the PuTTY SSH client. Posing as a fake Amazon job application to put backdoors onto their devices.

It is an interesting element in this campaign that a trojanized version of the PuTTY and KiTTY SSH utilities has been used as a means of deploying a backdoor. While in this case, the PuTTY and KiTTY SSH utility is ‘AIRDRY.V2’.

The cybersecurity researchers at Mandiant have associated this campaign with the threat group known as ‘UNC4034’, and here below we have mentioned the other names of this group:- 

  • Temp[.]Hermit
  • [Labyrinth Chollima]

In the latest activities carried out by the group, it appears that the campaign ‘Operation Dream Job’ is being continued. As part of this campaign, which has been running since June 2020, media companies are being targeted at this time.

Exploiting PuTTY SSH Client and WhatsApp

Threat actors begin the attack by emailing their targets with a lucrative job offer from Amazon in an attempt to lure them into the attack.

In the next step, they will communicate through WhatsApp, where they will share a file containing the ISO image:-

  • amazon_assessment.iso

Files that are included in the ISO are as follows:

  • A text file (“readme.txt”)
  • An IP address
  • Login credentials
  • A trojanized version of PuTTY (PuTTY.exe)

It is believed that the threat actors used the file name ‘Amazon-KiTTY[.]exe’ to impersonate the KiTTY SSH client. In regards to the discussion between threat actors and victims, it is not known what was discussed between them.

There was a malicious payload installed in the data section of the PuTTY application shared by the hackers. As a result, there will be a significant difference in the size of the legitimate version compared with the tampered version.

Using the legitimate program, the threat actors compile the PuTTY executable file. There is no difference between this version and the legitimate version, and it is fully functional.

There is a modification in PuTTY’s “connect_to_host()” function that is being used by the hackers. Using the enclosed credentials, the program will deploy in the form of a DLL packed with Themida a malicious DAVESHELL shellcode payload which will be executed upon successful SSH connection.

The DAVESHELL program is used to drop the final payload into memory directly:-

  • AIRDRY.V2 backdoor malware

Supported Command IDs

There are several supported command IDs and here below we have mentioned them:-

  • 0x2009: Upload basic system information
  • 0x2028: Update the beacon interval based on a value provided by the C2 server
  • 0x2029: Deactivate until new start date and time
  • 0x2031: Upload the current configuration
  • 0x2032: Update the configuration
  • 0x2037: Keep-alive
  • 0x2038: Update the beacon interval based on a value in the configuration
  • 0x2052: Update the AES key used to encrypt C2 requests and configuration data
  • 0x2057: Download and execute a plugin in memory

There are fewer commands that can be used with the new version of AIRDRY when compared to the previous version. However, the flexibility of the backdoor is not compromised by reducing the number of commands supported.

Moreover, using the properties of the executable, you can check whether the binary is digitally signed by ‘Simon Tatham’ so as to ensure that the version of PuTTY you are using isn’t trojanized.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.