{"id":122611,"date":"2022-09-29T09:00:00","date_gmt":"2022-09-29T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=122611"},"modified":"2024-05-22T10:45:28","modified_gmt":"2024-05-22T17:45:28","slug":"zinc-weaponizing-open-source-software","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/29\/zinc-weaponizing-open-source-software\/","title":{"rendered":"ZINC weaponizing open-source software"},"content":{"rendered":"\n
\nApril 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. ZINC<\/strong> is now tracked as Diamond Sleet<\/strong>.<\/p>\n\n\n\n
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n
In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC<\/a>. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.<\/p>\n\n\n\n
Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.<\/p>\n\n\n\n
MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF\/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022. The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant<\/a> earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.<\/p>\n\n\n\n
Microsoft Defender for Endpoint provides comprehensive protection against tools and custom malware used by ZINC, including ZetaNile. The hunting queries provided at the end of this blog will help customers comprehensively search their environments for relevant indicators. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. <\/p>\n\n\n\n
Who is ZINC? <\/h2>\n\n\n\n
ZINC is a highly operational, destructive, and sophisticated nation-state activity group. Active since 2009, the activity group gained further public notoriety in 2014 following their successful attack against Sony Pictures Entertainment. ZINC is known to use a variety of custom remote access tools (RATs) as part of their arsenal, including those detected by Microsoft as FoggyBrass and PhantomStar. <\/p>\n\n\n\n
Microsoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed using strategic website compromises and social engineering across social media to achieve their objectives. ZINC targets employees of companies it\u2019s attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out against security researchers<\/a> over Twitter and LinkedIn.<\/p>\n\n\n\n
ZINC attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction. ZINC attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting.<\/p>\n\n\n\n
ZINC, tracked by other security companies as Labyrinth Chollima and Black Artemis, has been observed conducting this campaign from late April to mid-September 2022.<\/p>\n\n\n\n
Figure 1. Attack flow diagram for recent ZINC campaign<\/figcaption><\/figure>\n\n\n\n Observed actor activity<\/h2>\n\n\n\n
Impersonation and establishing contact<\/h3>\n\n\n\n
LinkedIn Threat Prevention and Defense detected ZINC creating fake profiles claiming to be recruiters working at technology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the encrypted messaging app WhatsApp for the delivery of malware. ZINC primarily targeted engineers and technical support professionals working at media and information technology companies located in the UK, India, and the US. Targets received outreach tailored to their profession or background and were encouraged to apply for an open position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly terminated any accounts associated with inauthentic or fraudulent behavior.<\/p>\n\n\n\n
Figure 2. Fraudulent recruiter profile<\/figcaption><\/figure>\n\n\n\n Multiple methods used for delivery of ZetaNile<\/h3>\n\n\n\n
MSTIC has observed at least five methods of trojanized open-source applications containing the malicious payload and shellcode that is tracked as the ZetaNile malware family. The ZetaNile implants, also known as BLINDINGCAN, have been covered in CISA<\/a> and JPCERT<\/a> reports. The implant DLLs in the ZetaNile malware family are either packed with commercial software protectors such as Themida and VMProtect or are encrypted using custom algorithms. The payload in the malicious DLL is decrypted using a custom key, passed as part of the DLL search order hijacking of the legitimate Windows process, as shown in Figure 3. The ZetaNile implants use unique custom encryption methods or AES encryption to generate command and control (C2) HTTP requests to known compromised C2 domains. By encoding the victim information in the parameters for common keywords like gametype<\/em> or bbs <\/em>in the HTTP POSTs, these C2 communications can blend in with legitimate traffic.<\/p>\n\n\n\n
Weaponization of SSH clients<\/h3>\n\n\n\n
Once they have established a connection with their target, ZINC operationalized malicious versions of two SSH clients, PuTTY and KiTTY, that acted as the entry vector for the ZetaNile implant. Both utilities provide terminal emulator support for different networking protocols, making them attractive programs for individuals commonly targeted by ZINC. The weaponized versions were often delivered as compressed ZIP archives or ISO files. Within that archive, the recipient is provided a ReadMe.txt<\/em> and an executable file to run. As part of the evolution of ZINC\u2019s malware development, and in an effort to evade traditional defenses, running the included executable does not drop the ZetaNile implant. For ZetaNile to be deployed, the SSH utility requires the IP provided in the ReadMe.txt<\/em> file. An example of the content of that file is provided below:<\/p>\n\n\n\n
Server: 137[.]184[.]15[.]189\nUser: [redacted]\nPass: [redacted]\n<\/pre>\n\n\n\nWeaponized PuTTY malware<\/h4>\n\n\n\n
ZINC has been using trojanized PuTTY as part of its attack chain for many years, and this most recent variant establishes persistence on compromised devices by utilizing scheduled tasks. This activity was recently reported by Mandiant. The malicious PUTTY.exe<\/em> is configured to install the Event Horizon malware in C:\\ProgramData\\colorui.dll<\/em> and subsequently copy C:\\Windows\\System32\\colorcpl.exe<\/em> to C:\\ProgramData\\colorcpl.exe<\/em>. By using DLL search order hijacking, ZINC can load the second stage malware, colurui.dll<\/em>, and decode the payload with the key \u201c0CE1241A44557AA438F27BC6D4ACA246\u201d to be used for command and control. Upon successful connection to the C2 server, the attackers can install additional malware on the compromised device for other tasks.<\/p>\n\n\n\n
Lastly, persistence is established with the creation of a daily scheduled task, PackageColor<\/em>, as part of the configuration for the weaponized PuTTY. ZINC accomplishes this with the following command:<\/p>\n\n\n\n
Figure 3. PuTTY – scheduled task as part of persistence<\/figcaption><\/figure>\n\n\n\n Weaponized KiTTY malware<\/h4>\n\n\n\n
While ZINC has utilized weaponized PuTTY for many years, ZINC has only recently expanded their capabilities to include weaponizing a fork of PuTTY called KiTTY. The executable first collects the username and hostname of the victim system. It then sends that information to a hardcoded IP 172[.]93[.]201[.]253 over TCP\/22, which does not use SSH protocol and does not require SSH handshake to establish communication. Upon successful TCP connection to the server at 137[.]184[.]15[.]189, the malicious KiTTY executable then deploys the malware as %AppData%\\mscoree.dll <\/em>following multiple rounds of decoding. The mscoree.dll<\/em> file is the embedded payload, detected as EventHorizon, in the ZetaNile malware family. Similar to ZINC\u2019s version of PuTTY, the actor uses DLL search order hijacking to load malicious DLL files that perform tasks within the context of these legitimate Windows processes, specifically through %AppData%KiTTY%PresentationHost.exe -EmbeddingObject<\/em>.<\/p>\n\n\n\n
Figure 4. KiTTY – DLL search order hijacking<\/figcaption><\/figure>\n\n\n\n The mscoree.dll<\/em> malware is modularized in such a way that, upon successful connection to the compromised C2 domain, the attackers can install additional malware on the target system as needed using the existing C2 communication, such as executing C:\\ProgramData\\Cisco\\fixmapi.exe -s AudioEndpointBuilder<\/em> to load malicious mapistub.dll<\/em> from the compromised C2 server. The HTTP POST requests contain the hardcoded user agent string with misspelled \u201cEdge\u201d, as detailed below, and contain a unique ID for the field gametype<\/em> and the hardcoded value for the field type <\/em>for malware campaign tracking purposes:<\/p>\n\n\n\n