Microsoft reports that there has been an uptick in the activity of ZINC, a government-sponsored North Korean hacker group that was famously involved in the 2009 Sony hack.
Microsoft says its Threat Intelligence Center has detected a wide range of social engineering campaigns using weaponized legitimate open-source software over the last few months.
Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia, likely with the aim of espionage, data theft, financial gain, and network destruction.
Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally and exfiltrate collected information from victim networks.
ZINC has successfully compromised numerous organizations since June 2022 and due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.
Microsoft says their Defender for Endpoint provides comprehensive protection against tools and custom malware used by ZINC, including ZetaNile. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts.
Check out Microsoft’s blog post for hunting queries to help admins comprehensively search their environments for relevant indicators of compromise.