Not a dream job: Hunting for malicious job offers from an APT

[harlan4096]

Tldr: A recent Mandiant’s blog described a series of targeted attacks over Whatsapp by an APT cluster named UNC4034. We found several additional cases in VirusTotal which we believe with high confidence are related to the same activity set.

According to the original publication, this activity is most likely related to North Korean actor and could be an extension of Operation “Dream Job”, leveraging targeted distribution of malicious ISO files. Based on Mandiant’s research, in the first stage the attacker sends a job offer at Amazon to the victim by email, followed by a WhatsApp web message where the attacker shares a malicious ISO file, pretending to be part of the selection process.

The original publication provides 2 hashes of ISO files named amazon_test.iso and amazon_assessment.iso respectively. Unfortunately, only the first one was found in VirusTotal:

8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b
e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182d3c0

Hunting for more samples
We started by trying to find the ISO we were missing in VirusTotal by searching for files with the same name:

name:”amazon_assessment.iso”

The search results provided us with one sample (dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031). In Mandiant’s publication both samples share the same configuration which can be found in an embedded Readme.txt file. The new sample seems to be the new variant with a different configuration, also in a Readme.txt file, as shown below:



Both ISO files contain two files inside them - a Windows executable (apparently a poisoned version of Putty) and Readme.txt. We decided to search for all the ISO samples bundling only two specific files - Readme.txt and an *.exe file. Additionally, we filtered out all samples over 10Mb or submitted to VirusTotal before 2020. We obtained the following 6 samples, including the ones already discussed.
...

Continue Reading