ZINC Hackers Leverage Open-source Software to Lure IT Pros

ZINC, a sub-group of the notorious North Korean Lazarus hacking group, has implanted malicious payloads in open-source software to infiltrate corporate networks, Microsoft’s threat hunting team has reported.

PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer have been backdoored to perform a wide range of social engineering campaigns that started in April 2022.

The spear phishing campaigns have targeted engineers and technical support operators, and the cybercriminals have pretended to be IT recruiters. They used LinkedIn to connect with the victims and gain their trust. Then they moved the conversation away from the platform to encrypted messaging apps like WhatsApp.

The victims were tricked into downloading utilities to complete fake job assessments. These tools contained, for example, trojanized SSH clients (e.g., Putty) and networking tools. The cybercriminals were able to take screenshots, perform discovery commands, and establish persistent connections to their command and control (C&C) servers while evading detection tools.

ZINC hackers corrupted legitimate software for cyberespionage purposes, data theft, and lateral movements, compromising a number of organizations across multiple sectors, such as media, technology, and defense, and across several countries, among them the U.S., UK, and India.

See the Best Open Source Security Tools

Highly Evasive Attack

ZINC cybercriminals are considered sophisticated attackers who made themselves known with an attack against Sony Pictures Entertainment in 2014.

Microsoft team published a detailed schema that explains how the ZINC group compromised targeted engineers in 2022:

The attacks involved classic phishing documents that contained malicious macros but also weaponized utilities associated with job assessments. Targets were encouraged to apply for open positions in legitimate companies.

Researchers observed “at least five methods of trojanized open-source applications containing the malicious payload and shellcode,” and exec files that do not drop malware directly but load it in chunks from C&C servers.

Using DLL hijacking, ZINC can schedule additional tasks and install malware on the compromised machines. This highly-evasive approach is not surprising for a sophisticated hacking group, as the top priority is to operate stealthily, even if it requires multiple layers of obfuscation and hacked versions of legitimate software.

LinkedIn has closed the fake accounts since then, but the Microsoft team considers such attacks a “significant threat to individuals and organizations across multiple sectors and regions.” Indeed, the hackers leveraged social engineering on social platforms IT professionals use regularly, and the tools used during the so-called job assessments do not look suspicious.

Also read: How Hackers Evade Detection

How to Protect Against Social Attacks

Microsoft has published the full list of IoCs (indicators of compromise) observed during  investigations in their blog post. Admins and security teams can use them to assess potential attacks and block inbound traffic from listed IPs.

Social engineering combined with highly-targeted campaigns like spear phishing remains a powerful approach, so good security hygiene — such as MFA, phishing awareness, and regular training — are recommended for all employees, including tech-savvy IT professionals.

More than ever, engineers must be very careful with unsolicited communications, as their position is often associated with privileged access. If employees are asked to download archives from WhatsApp (or any other encrypted messaging app) and run custom executables, it’s a huge red flag, as the same software could be downloaded from official sources and it’s usually possible to verify the downloads with checksum.

It does not mean such mirrors cannot be compromised, but it’s less probable. Big companies and IT startups have other ways to assess job candidates.

If the social engineering attack succeeds, behavioral analysis can spot anomalous activity, and monitoring outgoing traffic can reveal suspicious activity. It should be noted that many cybercriminals don’t always use IPs associated with the hidden web but legitimate platforms instead, and “C2-like” servers, which makes such sophisticated threat actors pretty hard to catch in the end, especially if the targets use the same platforms on a regular basis.

See the Best Cybersecurity Awareness Training for Employees

Julien Maury
Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Related articles