A sophisticated nation-state-supported threat group, Zinc, has been spotted weaponizing open-source software. Since June 2022, the group has been operating social engineering campaigns aimed at companies globally.

An attack campaign

Microsoft and LinkedIn Threat Prevention and Defense linked the recent attacks with high confidence to a threat group identified as Zinc. Further, the group is related to the Lazarus group.
  • Researchers observed Zinc using different open-source software such as KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installer.
  • Microsoft identified around five methods (including packing using commercial software protector Themida, DLL Search order hijacking, using custom encryption methods, encoding victim information in parameters of common keywords, and weaponization of SSH clients) for trojanizing these open-source applications.
  • These applications are laden with the shellcode and malicious payloads that are tracked as the ZetaNile malware family.

Who are the victims?

The recent attacks by Zinc have targeted employees in organizations operating in different industries, such as defense, aerospace, IT services, and media located in the U.K, the U.S., Russia, and India.

Infection tactic

LinkedIn spotted Zinc creating impersonating recruiters working in defense, technology, and media firms and aiming to move targets from LinkedIn to WhatsApp for malware delivery.

However, in accordance with LinkedIn policies and the accounts spotted in these attacks, the firm quickly suspended accounts linked with suspicious or fraudulent behavior.

Similar campaign

Earlier this month, the ongoing campaign related to the weaponized PuTTY was reported by Mandiant. The attackers used job lures on LinkedIn as part of a campaign named ‘Operation Dream Job.

Conclusion

Zinc targets victims worldwide throug a wide range of platforms and open-source software in its attack campaign, making it a major threat. Therefore, individuals and organizations using these open-source software should be vigilant. It is recommended to leverage a threat intelligence platform for threats tailored to your needs.
Cyware Publisher

Publisher

Cyware