Mandiant has reported an instance in which a group of North Korean hackers tainted the PuTTY SSH client through a malicious ISO package.

The issue

In July 2022, during a session of identifying non-remediated threats, Google-owned cybersecurity firm Mandiant Managed Defense, hunted down a threat cluster tracked as UNC4034. These troganized versions of the PuTTY client were distributed to clients via WhatsApp and advertised as an assessment for a job vacancy with Amazon.

Ironically named Operation Dream Job, a group of North Korean hackers leveraged spear phishing to send spam emails in the name of a fake Amazon job assessment. The malicious ISO package came with an archived text file containing login credentials and a tainted backdoor version of a fully functional PuTTY application. Post download and installation, a dropper called DAVESHELL is loaded to the host, which in turn deploys an alternate variant of a backdoor dubbed AIRDRY.V2 (also known as BLINDINGCAN).

These ISO files are capable of automatically mounting on the target device as a virtual disk and makes the target content easily available. The AIRDRY.V2 backdoor leverages a plug-in-based approach and supports multiple communication modes to try and execute any communication command from the attacker.

UNC4034 infusion flow-chart

Putty SSH client malware infusion

Image source: Mandiant

ISO archives like these have become the go-to approach for threat actors, since the file is easy to transfer and apply on the target device. Commands can be executed by communication protocols and a series of chain reactions can be initiated with much less effort. However, in this case, the issue was contained before any effect of compromise or exploitation of the targeted applications.

How to check if the PuTTY client is legitimate?

To ensure the PuTTY client is genuine, ensure you check for:

  1. A valid digital signature. A GPG signature will accompany all PuTTY files downloaded from its official website. This is to ensure that the application is legitimate and hasn’t been tampered with.
  2. The file size mentioned on the official website and the downloaded file.
  3. The md5sum and SHA values for the files that you download. These values are available on the official website of the vendors you’re downloading from.
  4. Event logs in the application menu. These will help you debug the SSH session issues and any other unknown entries.

Note: You can find the latest legitimate version of PuTTY on the publisher’s website.

Be extra cautious while working with open-source tools

Open-source applications like PuTTY use public key authentication (RSA, DSA, etc.) using SSH-1, which is easy to tamper with. In addition, open-source applications are prone to malware attacks, since they are readily available to the public. With free, open-source tools, it is always recommended to double-check an application and its credibility before downloading and using it.

Some applications, PuTTY included, come with a built-in feature called remote command. How is this dangerous? This feature can be leveraged to send automatic commands without any prompt from the PuTTY client to the device with an established connection. And it’s not just PuTTY that can be used to do this: other similar applications can also execute inputs requested by the server when connected to a remote server using a terminal. Similarly, during authentication, there have been instances in the past where an attacker was able to execute arbitrary codes on the PuTTY-hosted machine.

While using open-source software or applications:

  1. Always check for the vulnerabilities encountered in the past and how they were handled.
  2. Access applications only from legitimate or authorized websites.
  3. Keep your application, client server, and client software up to date.
  4. Always use SSH keys for logging in to the client rather than passwords. This is more secure and makes it harder for malware infections and other tampering attempts.

About us

IT operations management solutions from ManageEngine offer network monitoring, application monitoring, and IT management solutions for the high-stakes world of IT. Our suite of products includes solutions for streamlining network monitoring, server monitoring, application monitoring, bandwidth monitoring, configuration management, firewall security and compliance, and IP address and switch port management.

Come and be a part of the elite club that is trusted by over one million IT admins worldwide. Learn more.

Vishnu Prasadh
Content Marketer