Trojanized Version of PuTTY Distributed By Fake Amazon Job Phishers on WhatsApp

The makers of the secure telnet client PuTTY also sell a service monitoring company security services — and this July Mandiant Managed Defense "identified a novel spear phish methodology," according to a post on the company's blog: [The threat cluster] established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.... This activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files written to directories commonly used by threat actors....

The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe.... [T]he PuTTY.exe binary in the malicious archive does not have a digital signature. The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version. Sections like these are typically indicative of packed or encrypted data. The suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper investigation on the host and the file itself.

The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host.
"The executable embedded in each ISO file is a fully functional PuTTY application compiled using publicly available PuTTY version 0.77 source code," the blog post points out.

Ars Technica notes that Mandiant's researchers believe it's being pushed by groups with ties to North Korea: The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan's community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.

Well...

[gweihir]

Download from official repos and check signatures. Even more so if it is any kind of security software or software that is critical for security.

Nothing much else to say. Ordinary people cannot do IT security right unless they are very careful. The careless ones will fall for simple attacks like this one.

Re:

[Askmum]

People as stupid as this should be identified and be banned from being "IT professional" for life. Because clearly they are not IT professionals.

Re: Well...

[RegistrationIsDumb83]

Lately I've seen fake open source project pages hosting infected downloads. Some show up first in search rankings. It is VERY easy to mistake these. Worse, duckduckgo doesn't remove them when reported.

Re:

[Antique Geekmeister]

"GIMP for Windows" was the infamous example, hosted and adware burdened by the sourceforge.net website. There have been other examples before and since. I'm afraid that the "download and install this utility from a personal github.com account" has been a big problem for some languages.

Re:

[gweihir]

That is why you check the signature...

Re:

[jroysdon]

Anyone can create a fake site with signatures that match the code on the site. So the key here is to verify that the source is actually authoritative.

Re:

[gweihir]

Of course you do not check the signature against the code on the site. You check with a GPG/GnuPG key you have verified in one of the usual ways.

Do I have to explain even the smallest details? No surprise people get hit by this if not even /. readers know how to do this right....

Re:

[jroysdon]

And how do you know which GPG key is valid? The one posted on the website? See, bit of a problem where when you don't have a trusted source to start with (such as a published company or well-known developer publishing/signing a GPG key).

So, again, tell me specifically how you would verify the signature is valid?

Side note: Yes, I know it's not the same thing, but even the website itself is just signed by "Let's Encrypt". All "Let's Encrypt" verifies is that at one point in time someone could access the em

Easy to scare, hard to solve

[shanen]

Sounds scary, even diabolical, especially in the psychological targeting. "Fortunately, of course, I am... immune to it's effect" because I'm out of that market?

Still I'd prefer to focus on the solutions, and I think the best solution approach is to focus on the money, as in removing it. Proof of concept: All that pump-and-dump stock scam spam you no longer receive. After some academics published papers proving the scammers had a money tree, they changed the rules of the game, removed the money, and spam go

Re:

[Junta]

I assume this is some GPT output, as it doesn't seem like coherent human text?

BYOE

[botmaster42]

Always Bring Your Own Executable. I guess they just catch the low hanging fruit. Odd because you would also assume any job applicant being required to run putty is a job for IT. And how many IT folk don't already have putty installed and using it regularly.. Seems like a poor attack method since it is so out in the open but I guess like anything they just want to get someone, anyone.

Re:

[DewDude]

They have to be targeting the people with zero knowledge. I looked at the way this supposedly works; I would have immediately logged in using normal SSH. If that didn't work then told me I had to use their client; I'd tell them "oh. I don't use Windows".

PuTTY?

[rnturn]

If I'm assigned a laptop and someone gives me the rights to install software on it (which is not uncommon in corporate environments for the technical staff), I'd rather jump through the minor hoops it takes to install Cygwin and use that for a secure connection to remote hosts.

PuTTY? Too darned much wasted effort tracking down the right menu and pointing/clicking to get connected to anything.

Q: I only use Windows under duress so, pardon me for asking: Does the new Linux environment for Windows include any

Re:

[Zarhan]

Q: I only use Windows under duress so, pardon me for asking: Does the new Linux environment for Windows include anything like a decent xterm, ssh, and sftp? If not, why the heck not?

The WSL 2 is a full-blown (transparent) virtual machine. I just run Debian on my work PC. In Windows 10, you need to run a separate X server for GUI software, in Win 11 you can just use everything natively, see https://learn.microsoft.com/en... [microsoft.com]

Re:

[Junta]

Of course wslg has the worst window manager behavior.

If using wslg instead of, say, an X server, you are stuck with their barebones little wslg window manager (the compositor runs as a weird third wheel hardcoded to be one specific way). This might not be too terrible if it at least offered Microsoft native window management capability, but it doesn't (e.g., no tiling). It's further glitchy as everything.

So my top choice remains an actual Linux desktop. If it has to be windows, then I get alacritty and r

Re:

[drinkypoo]

Putty does have a bad connection settings interface, but you only have to set it up for any given host once.

There is no reason not to use cygwin, though.

Re:

[jabuzz]

You do know that Windows 10 has had a built in SSH client for a couple of years now? There is no need to install any software.

they knew what they were getting into

[DrunkenTerror]

working for amazon is like being a contractor on the 2nd death star

Don't trust what people send you

[Todd Knarr]

This is why you don't trust things people send you. You don't know if they're trustworthy, and you don't know if what they sent is really what they said it is. If they say you need software, ignore any links or attachments and go directly to a primary source to get it: your platform's app store or repository, or the publisher's download site. If that isn't acceptable for them, they're up to something hinky.

Not qualified

[kmoser]

Assuming the job offering was for an engineer, presumably anyone stupid enough to download and install ISOs from unknown parties wasn't qualified to begin with.