Threat Research

DPRK Job Opportunity Phishing via WhatsApp | PuTTY Utility

GoogleCloudIntel

UNC4034 used a WhatsApp-based spear-phish that delivered ISO attachments (e.g., amazon_assessment.iso) containing a trojanized PuTTY binary which dropped a Themida-packed DLL and ultimately deployed the AIRDRY.V2 backdoor. The chain included DLL search-order hijacking via a copied colorcpl.exe, scheduled-task persistence, and HTTP-based C2 communications. #AIRDRY.V2 #UNC4034

Keypoints

  • Initial access: targeted job lure via email and WhatsApp delivering ISO archives (e.g., amazon_assessment.iso) that auto-mount on Windows 10+.
  • ISO contents: a Readme.txt with connection details and a trojanized PuTTY.exe; executing PuTTY triggers embedded malicious code when an SSH connection/authentication is attempted.
  • Dropper behavior: the trojanized PuTTY writes an embedded Themida-packed DLL (colorui.dll) to C:ProgramDataPackageColor, copies colorcpl.exe there, and launches it to achieve DLL search-order hijacking.
  • In-memory payload: colorui.dll decrypts and executes DAVESHELL shellcode (XOR with dynamically built key) which maps and runs a VMProtect-packed AIRDRY.V2 backdoor in memory.
  • AIRDRY.V2: plugin-based backdoor supporting HTTP/file/SMB modes, AES-protected configuration, LZ4+AES-encrypted command payloads, and a reduced command set extended via in-memory plugins.
  • Persistence & execution: scheduled task “PackageColor” runs colorcpl.exe daily; malicious launches used cmd.exe or WinExec with hex command-line arguments consumed by the DLL.
  • Detection leads: monitor ISO/IMG downloads from messaging/cloud sources, execution of colorcpl.exe from nonstandard paths with unusual CLI args, and scheduled task “PackageColor”.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Used to deliver ISO archive to victim. (‘shared the file amazon_assessment.iso’)
  • [T1566.003] Phishing: Spearphishing via Service – Initial contact and file delivery over WhatsApp. (‘communicated with them over WhatsApp and shared the file’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used to launch colorcpl.exe via cmd.exe. (‘cmd.exe /c start /b C:ProgramDataPackageColorcolorcpl.exe …’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence established via a scheduled task named PackageColor. (‘A scheduled task named PackageColor executes colorcpl.exe at 10:30AM local time every day.’)
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Malicious DLL loaded by copying colorcpl.exe into attacker-controlled folder and launching it. (‘the embedded payload is written to C:ProgramDataPackageColorcolorui.dll … launches colorui.dll via DLL search order hijacking’)
  • [T1055.001] Process Injection: Dynamic-link Library Injection – Malicious DLL may inject/delegate execution into credwiz.exe or iexpress.exe. (‘inject it into a new instance of a legitimate Windows process… credwiz.exe or iexpress.exe’)
  • [T1218] System Binary Proxy Execution – Using legitimate system binaries (colorcpl.exe) to proxy execution of malicious DLL. (‘C:WindowsSystem32colorcpl.exe is copied to the new directory C:ProgramDataPackageColor’)
  • [T1620] Reflective Code Loading – DAVESHELL shellcode executes an embedded payload in memory (in-memory dropper behavior). (‘DAVESHELL is shellcode that functions as an in-memory dropper’)
  • [T1027.002] Obfuscated Files or Information: Software Packing – colorui.dll samples were packed with Themida; PuTTY binary had a high-entropy .data section. (‘packed using the commercial software protector Themida’, ‘large, high entropy .data section’)
  • [T1071.001] Application Layer Protocol: Web Protocols – AIRDRY.V2 communicates with C2 via HTTP POST requests. (‘The backdoor issues an HTTP POST request to a randomly selected C2 URL.’)
  • [T1071.002] Application Layer Protocol: File Transfer Protocols – AIRDRY.V2 can operate in file mode by writing requests to files (file-based communication mode). (‘AIRDRY.V2’s file mode uses the same HTTP request format but writes each request to a file.’)
  • [T1132.001] Data Encoding: Standard Encoding – C2 payload fields are Base64-encoded. (‘decoded Base64 data assigned to the bbs field’)
  • [T1573.001] Encrypted Channel: Symmetric Encryption – Backdoor configuration is AES-128-CBC encrypted with a hard-coded key. (‘configuration is AES-128 encrypted in CBC mode with the hard-coded key KAA5M8MNDKLJB8PI’)
  • [T1573.002] Encrypted Channel: Asymmetric Encryption – AIRDRY.V2 uses layered encryption for command data (AES-256 key derived via SHA256 from a hard-coded sequence) to protect command payloads. (‘the article data is compressed using LZ4 and then encrypted with AES… AES-256 key is derived using the SHA256 hash of a hard-coded 32-byte sequence’)

Indicators of Compromise

  • [File Hashes] Examples of malicious artifacts – SHA256 8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bba6b (amazon_assessment.iso), SHA256 1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266 (trojanized PuTTY.exe)
  • [IPv4 Address] Embedded connection host – 137.184.15[.]189 (IP listed in Readme.txt for SSH connection)
  • [URLs / C2] AIRDRY.V2 command-and-control – hxxps://hurricanepub[.]com/include/include.php, hxxps://turnscor[.]com/wp-includes/contacts.php
  • [File Paths / Filenames] Dropped and abused binaries – C:ProgramDataPackageColorcolorui.dll (Themida-packed dropper), C:ProgramDataPackageColorcolorcpl.exe (copy of legitimate colorcpl.exe used for DLL hijack)
  • [Filenames / Attachments] Delivery artifacts – amazon_assessment.iso, amazon_test.iso (ISO lures containing trojanized PuTTY and Readme.txt)
  • [Scheduled Task] Persistence identifier – Task Name: PackageColor (scheduled to run colorcpl.exe daily)

The technical attack chain begins with a WhatsApp-delivered ISO (e.g., amazon_assessment.iso) that auto-mounts on Windows and contains Readme.txt (with an IP and credentials) and a trojanized PuTTY.exe. The fake PuTTY is a compiled, fully functional client with injected code that triggers when an SSH connection or password-based authentication is attempted; this code writes a Themida-packed DLL (colorui.dll) and copies colorcpl.exe into C:ProgramDataPackageColor, then launches the copied colorcpl.exe to load the malicious DLL via DLL search-order hijacking.

colorui.dll contains an encrypted DAVESHELL payload; it builds a dynamic XOR decryption key from the parent process name (COLORCPL.EXE), the DLL filename (COLORUI.DLL), and the hex command-line argument passed to colorcpl.exe. After decryption, DAVESHELL executes in-memory and maps a VMProtect-packed AIRDRY.V2 backdoor. Depending on the command-line argument, the DLL either runs the shellcode inside colorcpl.exe or injects it into credwiz.exe or iexpress.exe.

AIRDRY.V2 loads an AES-128-CBC encrypted configuration (hard-coded key KAA5M8MNDKLJB8PI), supports HTTP, file, and SMB communication modes, and sends structured HTTP POSTs with Base64-encoded fields (bbs/article). The article field is LZ4-compressed then AES-encrypted (AES-256 key derived via SHA256 of a hard-coded 32-byte sequence). Persistence is achieved by a scheduled task named PackageColor that runs the copied colorcpl.exe daily, and C2 is configured via multiple URLs embedded in the decrypted configuration.

Read more: https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint