ZINC, a sub-group of the notorious North Korean Lazarus hacking group, has implanted malicious payloads in open-source software to infiltrate corporate networks, Microsoft’s threat hunting team has reported.
PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer have been backdoored to perform a wide range of social engineering campaigns that started in April 2022.
The spear phishing campaigns have targeted engineers and technical support operators, and the cybercriminals have pretended to be IT recruiters. They used LinkedIn to connect with the victims and gain their trust. Then they moved the conversation away from the platform to encrypted messaging apps like WhatsApp.
The victims were tricked into downloading utilities to complete fake job assessments. These tools contained, for example, trojanized SSH clients (e.g., Putty) and networking tools. The cybercriminals were able to take screenshots, perform discovery commands, and establish persistent connections to their command and control (C&C) servers while evading detection tools.
ZINC hackers corrupted legitimate software for cyberespionage purposes, data theft, and lateral movements, compromising a number of organizations across multiple sectors, such as media, technology, and defense, and across several countries, among them the U.S., UK, and India.
See the Best Open Source Security Tools
Highly Evasive Attack
ZINC cybercriminals are considered sophisticated attackers who made themselves known with an attack against Sony Pictures Entertainment in 2014.
Microsoft team published a detailed schema that explains how the ZINC group compromised targeted engineers in 2022:
The attacks involved classic phishing documents that contained malicious macros but also weaponized utilities associated with job assessments. Targets were encouraged to apply for open positions in legitimate companies.
Researchers observed “at least five methods of trojanized open-source applications containing the malicious payload and shellcode,” and exec files that do not drop malware directly but load it in chunks from C&C servers.
Using DLL hijacking, ZINC can schedule additional tasks and install malware on the compromised machines. This highly-evasive approach is not surprising for a sophisticated hacking group, as the top priority is to operate stealthily, even if it requires multiple layers of obfuscation and hacked versions of legitimate software.
LinkedIn has closed the fake accounts since then, but the Microsoft team considers such attacks a “significant threat to individuals and organizations across multiple sectors and regions.” Indeed, the hackers leveraged social engineering on social platforms IT professionals use regularly, and the tools used during the so-called job assessments do not look suspicious.
Also read: How Hackers Evade Detection
How to Protect Against Social Attacks
Microsoft has published the full list of IoCs (indicators of compromise) observed during investigations in their blog post. Admins and security teams can use them to assess potential attacks and block inbound traffic from listed IPs.
Social engineering combined with highly-targeted campaigns like spear phishing remains a powerful approach, so good security hygiene — such as MFA, phishing awareness, and regular training — are recommended for all employees, including tech-savvy IT professionals.
More than ever, engineers must be very careful with unsolicited communications, as their position is often associated with privileged access. If employees are asked to download archives from WhatsApp (or any other encrypted messaging app) and run custom executables, it’s a huge red flag, as the same software could be downloaded from official sources and it’s usually possible to verify the downloads with checksum.
It does not mean such mirrors cannot be compromised, but it’s less probable. Big companies and IT startups have other ways to assess job candidates.
If the social engineering attack succeeds, behavioral analysis can spot anomalous activity, and monitoring outgoing traffic can reveal suspicious activity. It should be noted that many cybercriminals don’t always use IPs associated with the hidden web but legitimate platforms instead, and “C2-like” servers, which makes such sophisticated threat actors pretty hard to catch in the end, especially if the targets use the same platforms on a regular basis.