BleepingComputer reports that North Korean hacking operation UNC4034, also known as Labyrinth Chollima or Temp.Hermit, has been leveraging a trojanized iteration of the PuTTY and KiTTY SSH utility in a new spear-phishing operation aimed at facilitating the delivery of the AIRDRY.V2 backdoor.
Media companies have been targeted by the new attacks, initially detected by Mandiant in July, which are believed to be part of the 'Operation Dream Job' campaign that commenced in June 2020.
Attackers have been conducting the operation by initially sending emails with lucrative Amazon job offers, with recipients then lured to continue communications over at WhatsApp, where an ISO file will be shared. Included in the ISO file are a trojanized PuTTY application and a text file with login credentials and an IP address, the report showed.
Executing the modified PuTTY version would trigger loading of the DAVESHELL DLL, which then deploys the AIRDRY.V2 malware as the final payload directly in memory. AIRDRY.V2 has been observed to have several features deactivated by default, as well as have fewer commands but have in-memory plugin execution and AES key updating for command-and-control server communications, compared with the old AIRDRY version.
Ukrainian hacktivist operation IT Army has taken responsibility for a significant distributed denial-of-service attack against Russian local airline booking system Leonardo, which is used by over 50 Russian carriers, according to The Record, a news site by cybersecurity firm Recorded Future.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.