It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

2022-09-14 • Mandiant •

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

#UNC4034 #PuTTY #T1059.003 #T1071.001 #T1566.003 #T1566.001 #T1053.005 #T1132.001 #T1620 #T1573.001 #T1218 #T1573.002 #T1071.002 #T1574.001 #T1055.001

Thumbnail for It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

Mandiant identified UNC4034 using a fake Amazon job opportunity to move a media-industry victim from email to WhatsApp and deliver a malicious ISO named amazon_assessment.iso. The ISO contained a trojanized PuTTY executable and a Readme with connection details; attempting the SSH workflow triggered embedded malicious code that dropped colorui.dll and used DLL search order hijacking through colorcpl.exe. Persistence was created with a scheduled task named PackageColor, and the DLL decrypted DAVESHELL shellcode that loaded AIRDRY.V2, a VMProtect-packed evolution of the AIRDRY/BLINDINGCAN backdoor. Mandiant noted overlaps suggesting a North Korea nexus, and the case is significant because it combines recruiter-themed social engineering, ISO delivery, trojanized legitimate tooling, and a plugin-oriented backdoor chain.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	https://turnscor.com/wp-include…	2022-09-14	2023-09-29
URL	https://hurricanepub.com/includ…	2022-09-14	2023-09-29
DOMAIN	hurricanepub.com	2022-09-14	2023-09-29
DOMAIN	turnscor.com	2020-12-15	2023-09-29
HASH	8cc60b628bded497b11dbc04facc7b5…	2022-09-14	2022-11-03
HASH	e03da0530a961a784fbba93154e9258…	2022-09-14	2022-11-03
HASH	cf22964951352c62d553b228cf4d2d9…	2022-09-14	2022-11-03
IPv4	137.184.15.189	2022-09-14	2022-11-03
HASH	aaad412aeb0f98c2c27bb817682f086…	2022-09-14	2022-09-29
HASH	1492fa04475b89484b5b0a02e6ba3e5…	2022-09-14	2022-09-29
HASH	6d1a88fefd03f20d4180414e199eb23a	2022-09-14	2022-09-14
HASH	c650b716f9eb0bd6b92b0784719081cd	2022-09-14	2022-09-14
HASH	4914bcbbe36dfa9d718d02f162de3da1	2022-09-14	2022-09-14
HASH	8368bb5c714202b27d7c493c9c0306d7	2022-09-14	2022-09-14
HASH	3ac82652cf969a890345db1862deff4…	2022-09-14	2022-09-14
HASH	18c873c498f5b90025a3c33b17031223	2022-09-14	2022-09-14
HASH	90adcfdaead2fda42b9353d44f7a8ceb	2022-09-14	2022-09-14
URL	https://www.elite4print.com/sup…	2022-09-14	2022-09-14

Related Actors

UNC4034

Mandiant

TEMP.Hermit

First seen: Sep 2022

Last seen: Nov 2022

Related Reports

2022-11-03 • 43% Match

Not a dream job: Hunting for malicious job offers from an APT

Virustotal

#DreamJob #UNC4034 #PuTTY

Shares tags: UNC4034, PuTTY • Shares 4 IOCs

2022-09-30 • 38% Match

Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium

ESET

#BYOVD #T1059.003 #T1140 #T1584.004 #T1587.001 #T1071.001 #T1204.002 #T1566.003 #T1566.001 #T1547.001 #T1132.001 #T1574.002 #T1027.002 #T1573.001 #T1218.011 #T1070.006 #T1106 #T1560.002 #T1014 #T1547.006

Shares tags: T1059.003, T1071.001, T1566.003 • Shares 1 IOC • Published within a month

2022-09-29 • 31% Match

ZINC weaponizing open-source software

Microsoft

#Zinc

Shares 5 IOCs • Published within a month

2021-12-02 • 26% Match

APT Profile: Who is Lazarus Group?

SOCRadar

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865

Shares tags: T1059.003, T1071.001, T1566.003

2025-08-13 • 24% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: T1059.003, T1071.001, T1566.003

2022-07-20 • 23% Match

STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)

Securonix

#Konni #StiffBizon #T1082 #T1119 #T1059.003 #T1070.004 #T1041 #T1113 #T1020 #T1071.001 #T1204.002 #T1555.003 #T1057 #T1059.005 #T1566.001 #T1053.005 #T1539 #T1059.001 #T1053 #T1132.001 #T1105 #T1548.002 #T1134.001 #T1033 #T1569.002 #T1543.003 #T1560.003 #T1007 #T1027.005 #T1606.001

Shares tags: T1059.003, T1071.001, T1566.001

« Back