Season 3, EP 4

ZetaNile - Open Source Software Trojans

November 30, 2022

In this episode, host Paul Roberts chats with ReversingLabs Malware Researcher Joseph Edwards about his latest threat research on ZetaNile, which is a set of trojanized, open source software implants.

Plus: Read Joseph Edwards' deep dive on ZetaNile.

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey, welcome back to ConversingLabs. I'm your host, Paul Roberts, and ConversingLabs, if you're new to this show, is ReversingLabs' podcast, where we talk about the latest happenings in threat analysis, software assurance. And we talked to the best and brightest minds in cybersecurity, and we got one of them on the line here today. Welcoming back Joseph Edwards, who is a malware researcher here at Reversing Labs. Joseph, welcome.

JOSEPH EDWARDS
Thanks, Paul. Glad to be back.

PAUL ROBERTS
It's great to have you back. How have you been?

JOSEPH EDWARDS
Been pretty good. Still doing the research, still working on the malware, trying to dive in deep and get technical.

PAUL ROBERTS
Yeah. And you're with us here today because you've got some new research that you put together on a threat that has been getting a fair amount of kind of attention in recent weeks, but you did sort of a deep dive on it. And this is a piece of malware that we're calling ZetaNile, is that right?

JOSEPH EDWARDS
Yeah, that's the Microsoft naming for the specific component. So yeah, that's something that they've named and they published some of the first research on it. But we've gone ahead and done a deep dive into the technical aspects.

PAUL ROBERTS
This was back in September. So what do you know? What can you tell us about this specific attack? And also what do we know about how long it was uncovered in September, how long it was going on before it was detected?

JOSEPH EDWARDS
From the looks of things, the report is on a group that they track as ZINC. It's a North Korean group. And we know that they have a history of conducting these campaigns on LinkedIn. So the timeline of this campaign is not exactly super clear, but since June is when Microsoft was saying that they've been conducting the attacks. And so throughout these campaigns, they've been using this tool called ZetaNile, which is kind of a loader that they've embedded in open source software. They've Trojanized a couple of different software products to get past unsuspecting users, and they use a lot of social engineering as well. But that's kind of the background.

PAUL ROBERTS
Yeah. And we'll talk about that. ZINC, aka Lazarus. This is a North Korean advanced persistent threat group presumed to be affiliated with the government of North Korea. Given that, I don't think you do anything in North Korea without the safe seal of the government. What do we know about Lazarus/ZINC, and kind of their M.O. and who they target, that type of stuff?

JOSEPH EDWARDS
Sure. They definitely have a history of targeting major defense contractors and manufacturing and aerospace and various companies like that. Some of the bigger names include Boeing and Lockheed Martin and various targets that could be valuable to them. So they do have a history of doing these dream job campaigns where they will post some kind of job description, get people to apply via the official link, and then follow up with the victims as if they are recruiters or HR at these companies. So this was a similar campaign.

PAUL ROBERTS
Pretty clever actually, to sort of engage, send them to a legitimate job posting and then follow up and oh, thanks for the application, we're really interested. Here's a malicious link, could you click on it? And that's apparently what happened in the case with this ZetaNile. They sent them these ISO images basically to download and install, I guess a.) Should that be a red flag to anybody engaged in a discussion about a potential job offering? And b.) These ISO images, what did they have in them and what happened to the people who downloaded and ran these things?

JOSEPH EDWARDS
That's a good point. The ISO images have become a popular delivery method for malware because they are containers, basically not too different from having like a zip file. They don't actually do a whole lot on their own, they typically just store further files. But they also happen to remove mark of the Web in certain circumstances. So Mark of the Web is a piece of metadata that tells Microsoft Windows that this file is downloaded from the Internet. So it causes a pop up for the user to keep them from executing files. But unfortunately, with ISO images and .IMG images and other containers Mark of the Web can be removed. So the circumstances in which it's removed are tricky, but they are pretty much always removed with ISO files. So this means that when this file is delivered, all of the contents don't have Mark of the Web. So an unsuspecting user can execute them without seeing a pop up that says this file was downloaded from the Internet.

PAUL ROBERTS
Right.

JOSEPH EDWARDS
So in this case they were storing an executable, which was kind of like a fake assessment that was sent by ZINC and a text file, which was some data that they needed to put into the program to get the malware to launch. So that's what was in these files.

PAUL ROBERTS
Basically a username and password basically, that would tell the malware to launch. And we'll talk about this so that the malware was configured to not run 100% of the time only in specific circumstances. In the case of the malicious programs, they basically trojanized a bunch of common open source tools Putty, Kitty, Tight VNC. What are these tools? And how exactly did the North Koreans, did the Lazarus group compromise them? What did they do to them?

JOSEPH EDWARDS
Putty and Kitty are both basically tools for gaining remote terminal access. It's a pretty common tool among system administrators and network administrators for just logging into another computer. And it is feasible that plenty of normal users use Putty on a daily basis. It's an open source tool, which means you can go online and find the source code on GitHub. So it's something that probably has a lot of trust in the IT community. But in this case they have compiled a backdoor basically into this program and other programs. So these programs are all designed to remotely log into another computer. And so the threat group is delivering this tool and saying as part of the next round of your interview for this dream job, you'll be logging into some remote machine to complete an assessment.

PAUL ROBERTS
Right.

JOSEPH EDWARDS
And so the user thinks that they're logging into some kind of test machine to complete an assessment. So they're putting in an IP address and username and password into these executables. It might be Putty, it might be Kitty, but little did they know that actually launches further payloads.

PAUL ROBERTS
And what were the ultimate payloads here? What was the final deliverable in these attacks and what were the, I guess, larger objectives of the attacks as far as we can tell?

JOSEPH EDWARDS
Not to get too technical too fast, but basically the first file into which they put the username and passwords and credentials, that is a loader and that stores shellcode and an embedded DLL payload. And so that loader executes the shellcode which executes the payload. The final payload was actually itself also a piece of open source software that had been Trojanized by the threat actor. It looks like a plug in for a program called Notepad Plus. Plus. It's basically a tool that makes things easier in Notepad Plus Plus. It's kind of a word processing tool but none of that functionality is actually used. It just uses the open source software as a container. And this is something that we see kind of commonly with this threat group, is that they are just putting some routine within a larger piece of software. So it does command and control. It's sort of like a simple beacon/stager. The functionality is pretty limited but it does allow the execution of further payloads as shell code typically.

PAUL ROBERTS
And for all these kind of open source tools that have been trojanized, I mean, is it a trivial matter to determine that they've been tampered with or compromised? I guess these are developers applying for development positions and so at some level they're comfortable with these open source packages or at least familiar with them. But how would you even know that there had been malicious functionality added to this thing?

JOSEPH EDWARDS
Typically you would like to verify that this program came from the legitimate developer. When something is open source you can compile it yourself and that will result in a different hash value perhaps just due to whatever compiler you use. So if you compile a source code and you get a binary, it may not exactly match the hash that the developer has. So it's typically best practice to only use Putty or type B and C from the developer. So if you were one of these victims, the best thing to do if you thought this was a legitimate assessment would be to download Putty from the official site and then log into this box if it were a legitimate assessment. So if you're an end user you might just Google the hash of the program that's been given to you and notice that it is not the official hash right. From verifying that it is malware. It's not so easy, not from a dynamic perspective, unless you have a certain amount of expertise. It's not very obvious from a static perspective either.

PAUL ROBERTS
Okay, but just from the recipient standpoint, even just checking the hash against or even just downloading the actual tool rather than just downloading whatever was sent to you in the ISO or I guess conceivably checking the hash value of what you were sent versus the actual developer's version. Official version would be enough to tip you off that something was amiss here, even if you couldn't tell exactly what.

JOSEPH EDWARDS
Yeah, and it does take a bit of a technical step there. Not a lot of people are used to checking the hash values of programs on their computers.

PAUL ROBERTS
So one of the things you noted was that a lot of the samples with APT groups like Lazarus were pretty conditioned to them building persistence features into their malware. So once they get a foothold in an environment, they really don't want to give it up. In this case, you noticed a lot of the samples that you were looking at actually didn't have, some did, but many did not. What would explain that?

JOSEPH EDWARDS
And I think this kind of ties into the fact that we've already mentioned these trojanized binaries came in a bunch of different flavors. And if you read the Microsoft report, there's just tons of different payloads. And from my research, I saw that some of them stored the DLL for the final payload in reverse. Sometimes it was encrypted, sometimes it was just there and just the plain DLL, the bytes of it. So it's clear that there's been a development process. They started off with a bit of a bare bones loader and then they went through different methods of flipping the bytes and perhaps working on evasion from antivirus and all of that kind of thing. But it's clear that their tool has been kind of evolving and that they have different ways of plugging in this loader framework into open source software. So it's clear that this tool has been evolving over time. And some of the earlier variants didn't seem to have persistence. But at the same time, if they have sort of a very hands on the keyboard and reactive approach to things, as soon as the victim executes this item, the threat actor is already on the line. They're already waiting so that they can deploy further payloads. They might not need persistence within the original payload because they're highly interactive. That's just one possibility. But I think it's clear that they had a bit of a tool life cycle here.

PAUL ROBERTS
And you mentioned the evasion features. What were some of the things that Lazarus group, this APT group, were doing to avoid detection by would-be victims? Some of the anti-detection features they had built into this attack.

JOSEPH EDWARDS
I would say that they didn't appear to care very much about being detected by antivirus. I would say the detection rates for these payloads were not very low. Pretty across the board. This looks bad from a static perspective, but from a dynamic perspective, they did kind of manage to avoid alerting the user by of course, this is a trojanized version of a regular open source software program. So if you run the payload, it looks like Putty or it looks like Type B and C, and it doesn't execute any of the malicious functionality unless you put these details in like the specific details that they've given you. And these are hard coded into the malware. So if you were executing this in a sandbox, you wouldn't get the malicious behavior unless you were working in a high interaction sandbox and you knew what to put in. So looking at this file by itself and without having the credentials, it evades detection from a dynamic perspective. But of course, static analysis is a whole different story.

PAUL ROBERTS
Yeah. So I mean, what can organizations, what lessons can they take from that in terms of reliable ways to get some of this malware to sort of out itself within your environment?

JOSEPH EDWARDS
Sure, there are various ways from a static perspective. Perhaps if you're an antivirus or security company to where you can build in detections for this kind of thing. It was pretty trivial to create YARA signatures for these types of payloads. From a dynamic perspective, having some kind of behavioral monitoring would be really good for any type of unsigned code. Of course, this code was not signed. Just open source compiled binaries. Other things that can kind of help with attacks like these are turning off automatic mounting of ISO files. So a lot of people have been kind of talking about how most users don't need ISO images. They're kind of mostly used by threat actors and perhaps IT professionals who have some reason for passing around maybe system images in ISO format...

PAUL ROBERTS
Generally not job recruiters?

JOSEPH EDWARDS
Right. Yeah, so I mean, having some visibility and introspection into these kind of odd file formats that are mostly used by threat actors can really help a lot as well.

PAUL ROBERTS
As you said, obviously there's a really big social engineering campaign component to this campaign. Multiple points of contact prior to the delivery of the ISO images and back and forth. So high touch social engineering campaign to get folks to download and install this stuff. So I guess one question is, is it enough for organizations to really just target that part of the attack chain, kill chain as it were, and say, just focus on educating your employees about this, make sure that they're aware of this particular attack vector? Or should they focus energy and resources more on the after effects, the detection piece of it, and some of these elements, the ISO part of it or what have you? Where are the best bet to put their resources, time and money?

JOSEPH EDWARDS
I definitely think that attacks like these, with a major social engineering component, you really have to kind of have defense in depth because a lot of people, a lot of organizations, they understand the phishing threat. They understand that they need an email gateway. But having somebody on LinkedIn who poses as a recruiter for your company is maybe a type of threat they're not familiar with. So large organizations like LinkedIn may need to be a bit more aggressive with some of the impersonation. Organizations may need to look out for it, just like they look out for typosquatting and typosquatting is when a threat actor registers a domain name similar to an organization's domain name to trick victims into going to a link that is actually malicious. So it's kind of a similar thing to where the platform LinkedIn will need to probably give this more attention. But organizations at all levels of this kind of thing, at the email level, but also at the impersonation level and even further, of course, at the behavioral monitoring of the networks.

PAUL ROBERTS
Yeah, and I mean for organizations, too. Again, these are often developers being targeted. They tend to be sophisticated users, highly privileged users. Right. So the sort of user least privileged approach is probably not going to work particularly well with them because they have honest need to run open source tools like this and to be able to download and run it. So it's like that kind of breaks down in some ways. That leaves organizations in kind of a tough spot. Right. Especially if, again, these highly privileged users, developers, what have you, cis-admins are the ones being targeted in these attacks.

JOSEPH EDWARDS
Exactly. In this campaign, ZINC was specifically targeting software engineers, site reliability engineers. So these assessments were definitely targeted at IT professionals and people proficient with these kinds of tools. So it definitely kind of reminds you to be on your toes no matter how deep you are into cybersecurity.

PAUL ROBERTS
Okay, what do we know about these attacks now? Obviously, Microsoft wrote about it a couple of few months ago. These still going on? Is this still a risk companies need to be aware of?

JOSEPH EDWARDS
I mean, definitely. I believe the first dream job type campaign was back in 2018, and it's been four years. They're still employing the same tactics, pretty much sometimes...

PAUL ROBERTS
If it ain't broke, don't fix it.

JOSEPH EDWARDS
Right, exactly. So one of the tools that was used in this campaign that I didn't really dive into because people have done pretty good research on it already. ZINC will also send customized PDF readers. As you know, PDFs, typically people are opening PDFs in their browser these days, so it's typically pretty safe because browsers are sandboxed. But ZINC has a history of making their own tools, getting unsuspecting users to open them. And those PDFs being job descriptions, job applications. So these are very common techniques for them.

PAUL ROBERTS
They're going to look normal. It's going to look like a normal PDF reader that you're familiar with, but it's got some malicious functionality that's been added to it that you're not going to be privy to?

JOSEPH EDWARDS
Definitely.

PAUL ROBERTS
Joseph, anything I didn't ask you that I should have?

JOSEPH EDWARDS
I think we've covered everything pretty well, actually.

PAUL ROBERTS
Well, Joseph Edwards, Malware Researcher here at ReversingLabs. Thank you so much for coming on and speaking to us again on ConversingLabs. And I'm sure we're going to have you back.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO