Trojanized versions of PuTTY utility being used to spread backdoor
Researchers believe hackers with connections to North Korean government have been pushing a Trojanized version of the PuTTY in an attempt to backdoor the network of organizations they want to spy on.
Researchers from security firm Mandiant said on Thursday that at least one customer it serves had an employee who installed the fake network utility by accident.
The incident caused the employer to become infected with a backdoor tracked by researchers as Airdry.
The file was transmitted by a group Mandiant tracks as UNC4034. Mandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus, company.
The threat actors posed as people recruiting the employee for a job at Amazon.
PuTTY is an open-source secure shell and telnet application. The version sent in the WhatsApp message was not signed.
The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government.