Not a dream job: Hunting for malicious job offers from an APT

Tldr: A recent Mandiant’s blog described a series of targeted attacks over Whatsapp by an APT cluster named UNC4034. We found several additional cases in VirusTotal which we believe with high confidence are related to the same activity set.

According to the original publication, this activity is most likely related to North Korean actor and could be an extension of Operation “Dream Job”, leveraging targeted distribution of malicious ISO files. Based on Mandiant’s research, in the first stage the attacker sends a job offer at Amazon to the victim by email, followed by a WhatsApp web message where the attacker shares a malicious ISO file, pretending to be part of the selection process.

The original publication provides 2 hashes of ISO files named amazon_test.iso and amazon_assessment.iso respectively. Unfortunately, only the first one was found in VirusTotal:

8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b 
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0

Hunting for more samples

We started by trying to find the ISO we were missing in VirusTotal by searching for files with the same name:

The search results provided us with one sample (dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031). In Mandiant’s publication both samples share the same configuration which can be found in an embedded Readme.txt file. The new sample seems to be the new variant with a different configuration, also in a Readme.txt file, as shown below:

New sample’s Readme.txt content

Both ISO files contain two files inside them – a Windows executable (apparently a poisoned version of Putty) and Readme.txt. We decided to search for all the ISO samples bundling only two specific files – Readme.txt and an *.exe file. Additionally, we filtered out all samples over 10Mb or submitted to VirusTotal before 2020. We obtained the following 6 samples, including the ones already discussed:

ISO sha256 Filename ISO volume name
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b amazon_test.iso AMAZON_TEST
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031 Amazon_Assessment.iso AMAZON_ASSESSMENT
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3 SA_Assessment.iso AMAZON_ASSESSMENT
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5 IT_Assessment.iso AMAZON_ASSESSMENT
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397 Dell_SE_Assessment.iso DELL_SE_ASSESSMENT
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374 IBM_SSA_Assessment.iso IBM_SSA_ASSESSMENT
Volume name (included in the ISO file metadata) can also be used as a pivoting point, as an alternative to the previous query, to find more samples in VirusTotal by clicking on them:

Example of ISO metadata

We could use the following query based on metadata that also filters out results based on the previous criteria:

Not only PuTTY 

Although we didn’t deeply analyze the found samples, we spotted two more remote client tools in addition to Putty inside the ISO files – a weaponized versions of TightVNC Viewer and KiTTY (PuTTY’s fork). 

ISO sha256 Filename ISO volume name
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4 PuTTY
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031 52ec2098ed37d4734a34baa66eb79ec21548b42b9ccb52820fca529724be9d54 PuTTY
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3 75771b5c57bc7f0d233839a610fa7a527e40dc51b2ec8cbda91fab3b4faa977f KiTTY
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5 6af9af8aa0d8d4416c75e0e3f7a20dfe8af345fb5c5a82d79e004a54f1b670dc KiTTY
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397 14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745 TightVNC Viewer
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374 37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334 TightVNC Viewer
Interestingly, a couple of samples reveal forgotten pdb paths that could point to the attacker’s environment:

PDB path reveals “Work” folder

A TightVNC sample also included the following pdb path:
N:\2.MyDevelopment\3.Tools_Development\4.TightVNCCustomize\Munna_Customize\tightvnc\x64\Release\tvnviewer.pdb
Also, in some cases attackers reused the same ISO details for different campaigns. For instance, they didn’t change the volume name (Amazon related) with the ISO name they distributed (SA_Assessment or IT_Assessment).


Infrastructure

We extracted all the IP addresses from the Readme.txt files, as well as the contacted hosts during sandbox execution.

ISO sha256 IP from Readme.txt IP from Sandbox
8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b 137.184.15[.]189
dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031 143.244.186[.]68 44.238.74[.]84
3818527bc78efcece9d9bc87d77efa9450c2ba5c94f8441ea557ba29d865e7d3 147.182.237[.]105 3.137.98[.]129
cd8e12cddfe71b89597b6621d538b63673c8a8a3bf47a0fa572961ca1280e5b5 137.184.15[.]189 172.93.201[.]253
ccdb436a5941ba47a8b7e110021ad98ba6dc4e0296dc973429fc0c73de5e5397 44.238.74[.]84
455a7ebf67aec7b4d6cc18ed930bde491c0327ba5e24968514dd9b3449a7c374 44.238.74[.]84
Please note these IPs are subject to double checking before adding them to any blocking list. By checking the VirusTotal IP report  for any of them, you can find in the “Relations” tab  the “Files Referring” section to obtain which files hardcode the IP address, and “Communicating Files” to get which files contacted the IP during sandbox execution:

Files with hardcoded 143.244.186[.]68


Conclusions

As a result of this quick research we identified additional samples that seem to be part of the same campaign described by Mandiant, in this case expanding the scheme behind its distribution to, apparently, Dell and IBM in addition to Amazon. Submissions of the identified samples are observed between June and September 2022. 

In this post we described some ideas we used to identify these samples, but we encourage security researchers to both monitor additional activity and to dig into the newly found samples found to reveal further stage payloads. We created a VirusTotal Collection including the indicators associated with this malicious activity. As always, we are happy to hear any additional ideas to hunt for malicious campaigns.

Happy hunting!

Continue reading Not a dream job: Hunting for malicious job offers from an APT