North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find

Security researchers have identified new social engineering campaigns leveraging open source software to deliver malware that could help criminals with data theft, espionage and more.

Lots of companies and public institutions use open-source software in their daily operations. It’s easy to see why such software could become a delivery method for malware. Of course, offering tainted installers for widely used open-source software is not enough. Criminals need to resort to social engineering campaigns to persuade people to download and install infected software.

Security researchers from Microsoft attributed this new wave of campaigns to a North Korea-based, state-sponsored group named ZINC. Spearphishing is ZINC’s primary attack vector as the group approaches employees via social networks, especially LinkedIn. The goal is to persuade victims to install what seems to be innocuous open source software, which in reality has been modified to infect systems.

“Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets,” said Microsoft. “Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.”

“MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022,” Microsoft added.

These apps give criminals a way into the affected systems, allowing them to deploy malware and take complete control, and letting them move laterally inside the network.

Microsoft published a complete list of indicators of compromise for the malicious apps, attachments, files and IP addresses for command and control servers and other compromised domains.