Warning: weaponized open-source tools

We would like to draw your attention to increasingly frequent attacks using the weaponization of open-source tools, which target a wide range of organizations from the media, through defense and aerospace, to the IT services industries. The attacks are carried out using social engineering. Thanks to this, the attackers lure job seekers with fraudulent job offers. An ISO file infected with Trojan malware is subsequently sent to the applicants who respond to such an offer.

25 Nov 2022 Warnings

No description

What’s going on?

The term weaponization comes from the word weapon. It is the process by which something initially harmless is transformed into a dangerous weapon. In this case, these are open-source tools that attackers infect with Trojan malware and use for their benefit.

This is a further development of the "Operation Dream Job" campaign, which targets job seekers who respond to fraudulent job offers shared on LinkedIn. People who respond to such job offer receive a file that looks harmless at first glance but is infected with a harmful virus.

According to Microsoft, the North Korean hacker group Zinc, sometimes referred to as Labyrinth Chollima or Lazarus, which has been operating since 2009, is most likely behind these attacks. Zinc uses many open-source tools for attacks, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer.

The mentioned attacks of the Zinc group are motivated by cyberespionage, a vision of financial gain, an attempt to steal personal or company data, or they seek to destroy the network of the targeted organization.

What to do?

We recommend you download apps only from verified sources. Alternatively, we recommend verifying the checksums of the downloaded files.
You might be wondering, “What is the checksum of a downloaded file?”. A checksum can be compared to a file's fingerprint, which is used to ensure the file's integrity after being transferred from one device to another. The calculated checksum has the form of a hash that looks like a long string of characters (e.g.: dd17108d6b1030007301fd7957a59e8d695dcbe073c9ade0da84d3b2).
Most often, checksums are in SHA256 or MD5 format, which are the hash functions that the files are encoded with. You can find MD5 mainly in older files.
How to find and verify such a checksum of a downloaded file? The first step is to open the folder where you saved the file. Then proceed according to the instructions below, based on your computer's operating system (Windows/Linux/macOS).

Instructions for Windows

1. In the open folder, press the combination of characters ALT + D, type the shortcut cmd, and press ENTER. A black window, which is a command prompt, will pop up.
2. In the command prompt type: certUtil -hashfile <filename together with extension> <algorithm>
3. Press ENTER. You will see the checksum of the given file.
Examples:
certUtil -hashfile <downloaded_file.exe> md5
certUtil -hashfile <downloaded_file.exe> sha56

Instructions for Linux

1. Right-click in the folder where the file is stored and select "Open in Terminal".
2. Enter: <algorithmsum> <filename together with extension> in the Terminal
3. Press ENTER. You will see the checksum of the given file.
Examples:
md5sum <downloaded_file.exe>
sha256sum <downloaded_file.exe>

Instructions for macOS

1. Open a Terminal window: Click on Launchpad on the taskbar, search Terminal, click on it, and it will launch.
2. Type md5 or shasum -a 256 into Terminal
3. Drag and drop the selected file to the Terminal window. The path to the folder in which the file is stored, along with its name and extension, will be displayed.
4. Press ENTER. You will see the checksum of the given file.
Examples:
md5 <absolute file path> <downloaded_file.exe>
shasum -a 256 <absolute file path> <downloaded_file.exe>

Then you need to compare the long string of characters you found with the checksum listed on the legitimate page of the publisher. For example, in the case of the Apache OpenOffice program, you will find its checksum published right below the "download" buttons:

Link to view the Apache OpenOffice checksum on the publisher's website

After clicking on SHA256, you will see the hash of that file, which should look the same as the hash you found. If the checksums differ, the file is corrupted or modified and we recommend deleting it.

: Checksum of the Apache OpenOffice program published on the publisher's website

In case the checksum is not published on the publisher's official website, you can insert the checksum into the search on the VIRUSTOTAL website. If the program detects that the file is infected, do not open it and delete it from your computer permanently.

Conclusion

Recent attacks using the weaponization of open-source tools show us that caution in cyberspace is never enough. If you want to gain more confidence, we recommend you read the other tips we have prepared for you. We believe no internet scammer won’t be able to cheat on you after reading them. In case of any questions, do not hesitate to contact us at csirt@muni.cz.

You are running an old browser version. We recommend updating your browser to its latest version.

More info