The Zinc APT weaponises open-source software in attacks

October 11, 2022
Zinc APT Open Source Software Applications Cyberattacks

An advanced persistent threat group called Zinc APT has been seen by researchers weaponising open-source software. This state-sponsored threat group has been running several social engineering campaigns since June last year and has numerous targets worldwide.

Researchers have linked this APT group to another state-backed entity called Lazarus. Some identified open-source software used in their attacks is the Sumatra PDF Reader, PuTTY, KiTTY, TightVNC, and muPDF/Subliminal Recording software installer. Researchers from Microsoft were able to identify five different methods for weaponising these open-source apps.

Microsoft’s team also noticed that the threat actors used the software protector Themida, DLL Search order hijacking, custom encryption methods, encoding victim information in keywords parameters, and trojanising of SSH clients.

These apps are packed with malicious payloads, and shellcodes tracked as the ZetaNile malware strain.

 

The Zinc APT group has targeted various critical organisations from different first-class countries.

 

The latest campaign of the Zinc APT group has targeted many organisations from different first-world countries, such as Russia, the United Kingdom, the United States, and India. Reports revealed that the primary target of this group is the employees of critical infrastructures such as IT services, media, defence, and aerospace.

On the other hand, LinkedIn operators noticed that the Zinc operators are impersonating job recruiters for the media, technology, and defence companies to transfer targets from LinkedIn to WhatsApp for malware propagation.

Fortunately, LinkedIn policies have obstructed the accounts allegedly related to Zinc’s campaign. The company has also immediately suspended the funds linked to the fraudulent attacks.

Researchers also noted a similar campaign last month where they discovered a weaponised PuTTY software. The adversaries in that campaign utilised job baits on the LinkedIn platform, which was named “Operation Dream Job.”

Therefore, organisations who use these open-source software should be wary of such threats since the Zinc operators use a wide array of weaponised open-source software. As of now, companies should take advantage of threat intelligence platforms to counteract these types of attacks.

About the author

Leave a Reply