Backdoored Versions of PuTTY Discovered in North Korean Cyberattacks

By Ava McKinneyOnline Safety

Backdoored Versions of PuTTY Discovered

Security analysts from Mandiant have warned about the emergence of a trojanized version of the PuTTY utility, allegedly created by North Korean hackers from the group UNC4034 (also known as Temp.Hermit or Labyrinth Chollima). It appears that this malicious version of PuTTY is being used to compromise organizations of interest to the attackers.

Typically, these attacks begin with the hackers contacting their targets via email, making an enticing offer that appears to be a job opportunity at Amazon. The hackers then send the victim a message on WhatsApp, sharing a file named amazon_assessment.iso. Recently, ISO files have become increasingly popular for infecting Windows machines, since double-clicking them by default mounts the image.

The ISO file contains a text file (readme.txt) with an IP address and login credentials, as well as a malicious version of PuTTY (PuTTY.exe). According to Bleeping Computer, the hackers also use the SSH client KiTTY (a fork of PuTTY) in some attacks, in which case the file is named Amazon-KiTTY.exe.

It is still unclear exactly how the conversation between the attackers and victims unfolds, but it seems the hackers convince the victims to open the ISO image and use the provided SSH tool and credentials to connect to a host, supposedly as part of a test.

Although the malicious version of PuTTY contains a harmful payload, it remains fully functional since it is compiled from a legitimate version of the program. However, researchers note that legitimate versions of PuTTY are signed by the developer, while the hacker versions are not.

Technical Details of the Attack

The Mandiant report states that the hackers modified the connect_to_host() function so that, upon a successful SSH connection using the provided credentials, a malicious shellcode called DAVESHELL is deployed in the form of a DLL library (colorui.dll), packed with Themida.

To make the shellcode execution stealthy, the malicious PuTTY exploits a vulnerability in colorcpl.exe, and DAVESHELL acts as a dropper for the final payload — the AIRDRY.V2 backdoor, which runs directly in memory.

Attack Workflow

Although the backdoor has capabilities for using a proxy server and tracking active RDP sessions, in the version analyzed by Mandiant, these features are disabled by default. The updated AIRDRY.V2 supports only nine commands:

  • Upload basic system information
  • Update the beacon interval based on values from the command server
  • Deactivate until a new date and time
  • Upload current configuration
  • Update configuration
  • Maintain activity
  • Update the beacon interval based on configuration values
  • Update the AES key used for encrypting C&C requests and configuration data
  • Upload and run a plugin in memory

According to researchers, compared to the previous version of AIRDRY, the new variant supports fewer commands, but in-memory execution and AES key updates for communication with the command server are new features.

Leave a Reply