It is an interesting element in this campaign that a trojanized version of the PuTTY and KiTTY SSH utilities has been used as a means of deploying a backdoor. While in this case, the PuTTY and KiTTY SSH utility is ‘AIRDRY.V2’.
The cybersecurity researchers at Mandiant have associated this campaign with the threat group known as ‘UNC4034’, and here below we have mentioned the other names of this group:-
- [Labyrinth Chollima]
In the latest activities carried out by the group, it appears that the campaign ‘Operation Dream Job’ is being continued. As part of this campaign, which has been running since June 2020, media companies are being targeted at this time.
Using the legitimate program, the threat actors compile the PuTTY executable file. There is no difference between this version and the legitimate version, and it is fully functional.
There is a modification in PuTTY’s “connect_to_host()” function that is being used by the hackers. Using the enclosed credentials, the program will deploy in the form of a DLL packed with Themida a malicious DAVESHELL shellcode payload which will be executed upon successful SSH connection.
The DAVESHELL program is used to drop the final payload into memory directly:-
- AIRDRY.V2 backdoor malware
Supported Command IDs
There are several supported command IDs and here below we have mentioned them:-
- 0x2009: Upload basic system information
- 0x2028: Update the beacon interval based on a value provided by the C2 server
- 0x2029: Deactivate until new start date and time
- 0x2031: Upload the current configuration
- 0x2032: Update the configuration
- 0x2037: Keep-alive
- 0x2038: Update the beacon interval based on a value in the configuration
- 0x2052: Update the AES key used to encrypt C2 requests and configuration data
- 0x2057: Download and execute a plugin in memory
There are fewer commands that can be used with the new version of AIRDRY when compared to the previous version. However, the flexibility of the backdoor is not compromised by reducing the number of commands supported.
Moreover, using the properties of the executable, you can check whether the binary is digitally signed by ‘Simon Tatham’ so as to ensure that the version of PuTTY you are using isn’t trojanized.