ZetaNile: Open source software trojans from North Korea

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The attack begins with ZINC impersonating recruiters via LinkedIn and sending an ISO file as an attachment over WhatsApp. ‘The attack begins with ZINC impersonating recruiters in popular technology and defense companies, contacting victims through LinkedIn. After building trust with victims and encouraging them to apply at legitimate job listings, the attackers sent an ISO file as an attachment over WhatsApp.’
• [T1071.001] Web Protocols – The backdoor communicates with the C2 over HTTPS using POST requests to a server. ‘The backdoor communicated over HTTPS with POST commands to the server hxxps[://]leadsblue[.]com/wp-content/wp utility/index[.]php’
• [T1041] Exfiltration – The actors move laterally and exfiltrate data from victim networks. ‘move laterally and exfiltrate collected information from victim networks.’
• [T1055] Process Injection / In-Memory Execution – The payload loads in memory and hides with API hashing; shellcode is used to load an embedded DLL. ‘shellcode hides its functionality using API hashing and manually retrieves functions from the user32.dll and msvcrt.dll libraries.’
• [T1620] Reflective Code Loading – The final payload is loaded reflectively in memory, avoiding disk artifacts. ‘reflectively loads the payload in memory, avoiding disk artifacts.’
• [T1574.002] DLL Side-Loading – DLL hijacking/side-loading is used (e.g., colorui.dll loaded by a legitimate app). ‘PuTTY sample dropped the file colorui.dll in a new directory… and copied the legitimate executable…’
• [T1053.005] Scheduled Task – A scheduled task (PackageColor) is created to run the malicious payload. ‘c:windowssystem32schtasks.exe /CREATE /SC DAILY /MO 1 /ST 10:30 /TR “C:WindowsSystem32cmd.exe /c start /b C:ProgramDataPackageColorcolorcpl.exe 0CE1241A44557AA438F27BC6D4ACA246” /TN PackageColor /F’