Novel spear-phishing campaign features trojanized PuTTY SSH client

BleepingComputer reports that North Korean hacking operation UNC4034, also known as Labyrinth Chollima or Temp.Hermit, has been leveraging a trojanized iteration of the PuTTY and KiTTY SSH utility in a new spear-phishing operation aimed at facilitating the delivery of the AIRDRY.V2 backdoor. Media companies have been targeted by the new attacks, initially detected by Mandiant in July, which are believed to be part of the 'Operation Dream Job' campaign that commenced in June 2020. Attackers have been conducting the operation by initially sending emails with lucrative Amazon job offers, with recipients then lured to continue communications over at WhatsApp, where an ISO file will be shared. Included in the ISO file are a trojanized PuTTY application and a text file with login credentials and an IP address, the report showed. Executing the modified PuTTY version would trigger loading of the DAVESHELL DLL, which then deploys the AIRDRY.V2 malware as the final payload directly in memory. AIRDRY.V2 has been observed to have several features deactivated by default, as well as have fewer commands but have in-memory plugin execution and AES key updating for command-and-control server communications, compared with the old AIRDRY version.