North Korean threat actor weaponizing legitimate open-source software

ZINC, a state-sponsored group based out of North Korea, is weaponizing a wide range of open-source software to target employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia, according to Microsoft.

Microsoft Threat Intelligence Center (MSTIC) observed ZINC weaponizing legitimate open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

ZINC, also known as Labyrinth Chollima and Black Artemis, has been observed conducting this campaign from late April to mid-September 2022. The nation-state activity group could pose a significant threat to individuals and organizations across multiple sectors and regions, Microsoft has warned.

According to a post by MSTIC and the LinkedIn Threat Prevention and Defense team, beginning in June 2022, the threat group employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. After establishing contact, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.

LinkedIn Threat Prevention and Defense detected ZINC creating fake profiles impersonating recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to WhatsApp for the delivery of malware. Targets received outreach tailored to their profession/background and were encouraged to apply for an open position at one of several legitimate companies.

LinkedIn terminated any accounts associated with inauthentic or fraudulent behaviour.

Mitigation

Microsoft recommends the following actions to mitigate techniques used by the actor:

• Use the included indicators of compromise (IoCs) to investigate whether they exist in your environment and assess for potential intrusion.
• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to confirm the authenticity and investigate any anomalous activity.
• Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
• Prevent malware infections by ignoring or deleting unsolicited and unexpected emails with ISO attachments.
• Practice good credential hygiene by limiting the use of accounts with local or domain admin privileges and turning on Microsoft Defender Firewall to prevent malware infection and stifle propagation.
• Protect personal and business information in social media, filter unsolicited communication, identify lures in spear-phishing email and watering holes, and report reconnaissance attempts and other suspicious activity.