ConversingLabs PODCAST

Season 3, EP 4

ZetaNile - Open Source Software Trojans

ConversingLabs PodcastNovember 30, 2022

In this episode, host Paul Roberts chats with ReversingLabs Malware Researcher Joseph Edwards about his latest threat research on ZetaNile, which is a set of trojanized, open source software implants.

Plus: Joseph Edwards' deep dive on ZetaNile

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey, welcome back to ConversingLabs. I'm your host, Paul Roberts, and ConversingLabs, if you're new to this show, is ReversingLabs' podcast, where we talk about the latest happenings in threat analysis, software assurance. And we talked to the best and brightest minds in cybersecurity, and we got one of them on the line here today. Welcoming back Joseph Edwards, who is a malware researcher here at Reversing Labs. Joseph, welcome.

JOSEPH EDWARDS
Thanks, Paul. Glad to be back.

PAUL ROBERTS
It's great to have you back. How have you been?

JOSEPH EDWARDS
Been pretty good. Still doing the research, still working on the malware, trying to dive in deep and get technical.

PAUL ROBERTS
Yeah. And you're with us here today because you've got some new research that you put together on a threat that has been getting a fair amount of kind of attention in recent weeks, but you did sort of a deep dive on it. And this is a piece of malware that we're calling ZetaNile, is that right?

JOSEPH EDWARDS
Yeah, that's the Microsoft naming for the specific component. So yeah, that's something that they've named and they published some of the first research on it. But we've gone ahead and done a deep dive into the technical aspects.

PAUL ROBERTS
This was back in September. So what do you know? What can you tell us about this specific attack? And also what do we know about how long it was uncovered in September, how long it was going on before it was detected?

JOSEPH EDWARDS
From the looks of things, the report is on a group that they track as ZINC. It's a North Korean group. And we know that they have a history of conducting these campaigns on LinkedIn. So the timeline of this campaign is not exactly super clear, but since June is when Microsoft was saying that they've been conducting the attacks. And so throughout these campaigns, they've been using this tool called ZetaNile, which is kind of a loader that they've embedded in open source software. They've Trojanized a couple of different software products to get past unsuspecting users, and they use a lot of social engineering as well. But that's kind of the background.
PAUL ROBERTSYeah. And we'll talk about that. ZINC, aka Lazarus. This is a North Korean advanced persistent threat group presumed to be affiliated with the government of North Korea. Given that, I don't think you do anything in North Korea without the safe seal of the government. What do we know about Lazarus/ZINC, and kind of their M.O. and who they target, that type of stuff?JOSEPH EDWARDSSure. They definitely have a history of targeting major defense contractors and manufacturing and aerospace and various companies like that. Some of the bigger names include Boeing and Lockheed Martin and various targets that could be valuable to them. So they do have a history of doing these dream job campaigns where they will post some kind of job description, get people to apply via the official link, and then follow up with the victims as if they are recruiters or HR at these companies. So this was a similar campaign.PAUL ROBERTSPretty clever actually, to sort of engage, send them to a legitimate job posting and then follow up and oh, thanks for the application, we're really interested. Here's a malicious link, could you click on it? And that's apparently what happened in the case with this ZetaNile. They sent them these ISO images basically to download and install, I guess a.) Should that be a red flag to anybody engaged in a discussion about a potential job offering? And b.) These ISO images, what did they have in them and what happened to the people who downloaded and ran these things?JOSEPH EDWARDSThat's a good point. The ISO images have become a popular delivery method for malware because they are containers, basically not too different from having like a zip file. They don't actually do a whole lot on their own, they typically just store further files. But they also happen to remove mark of the Web in certain circumstances. So Mark of the Web is a piece of metadata that tells Microsoft Windows that this file is downloaded from the Internet. So it causes a pop up for the user to keep them from executing files. But unfortunately, with ISO images and .IMG images and other containers Mark of the Web can be removed. So the circumstances in which it's removed are tricky, but they are pretty much always removed with ISO files. So this means that when this file is delivered, all of the contents don't have Mark of the Web. So an unsuspecting user can execute them without seeing a pop up that says this file was downloaded from the Internet.PAUL ROBERTSRight.JOSEPH EDWARDSSo in this case they were storing an executable, which was kind of like a fake assessment that was sent by ZINC and a text file, which was some data that they needed to put into the program to get the malware to launch. So that's what was in these files.PAUL ROBERTSBasically a username and password basically, that would tell the malware to launch. And we'll talk about this so that the malware was configured to not run 100% of the time only in specific circumstances. In the case of the malicious programs, they basically trojanized a bunch of common open source tools Putty, Kitty, Tight VNC. What are these tools? And how exactly did the North Koreans, did the Lazarus group compromise them? What did they do to them?JOSEPH EDWARDSPutty and Kitty are both basically tools for gaining remote terminal access. It's a pretty common tool among system administrators and network administrators for just logging into another computer. And it is feasible that plenty of normal users use Putty on a daily basis. It's an open source tool, which means you can go online and find the source code on GitHub. So it's something that probably has a lot of trust in the IT community. But in this case they have compiled a backdoor basically into this program and other programs. So these programs are all designed to remotely log into another computer. And so the threat group is delivering this tool and saying as part of the next round of your interview for this dream job, you'll be logging into some remote machine to complete an assessment.PAUL ROBERTSRight.JOSEPH EDWARDSAnd so the user thinks that they're logging into some kind of test machine to complete an assessment. So they're putting in an IP address and username and password into these executables. It might be Putty, it might be Kitty, but little did they know that actually launches further payloads.PAUL ROBERTSAnd what were the ultimate payloads here? What was the final deliverable in these attacks and what were the, I guess, larger objectives of the attacks as far as we can tell?JOSEPH EDWARDSNot to get too technical too fast, but basically the first file into which they put the username and passwords and credentials, that is a loader and that stores shellcode and an embedded DLL payload. And so that loader executes the shellcode which executes the payload. The final payload was actually itself also a piece of open source software that had been Trojanized by the threat actor. It looks like a plug in for a program called Notepad Plus. Plus. It's basically a tool that makes things easier in Notepad Plus Plus. It's kind of a word processing tool but none of that functionality is actually used. It just uses the open source software as a container. And this is something that we see kind of commonly with this threat group, is that they are just putting some routine within a larger piece of software. So it does command and control. It's sort of like a simple beacon/stager. The functionality is pretty limited but it does allow the execution of further payloads as shell code typically.PAUL ROBERTSAnd for all these kind of open source tools that have been trojanized, I mean, is it a trivial matter to determine that they've been tampered with or compromised? I guess these are developers applying for development positions and so at some level they're comfortable with these open source packages or at least familiar with them. But how would you even know that there had been malicious functionality added to this thing?JOSEPH EDWARDSTypically you would like to verify that this program came from the legitimate developer. When something is open source you can compile it yourself and that will result in a different hash value perhaps just due to whatever compiler you use. So if you compile a source code and you get a binary, it may not exactly match the hash that the developer has. So it's typically best practice to only use Putty or type B and C from the developer. So if you were one of these victims, the best thing to do if you thought this was a legitimate assessment would be to download Putty from the official site and then log into this box if it were a legitimate assessment. So if you're an end user you might just Google the hash of the program that's been given to you and notice that it is not the official hash right. From verifying that it is malware. It's not so easy, not from a dynamic perspective, unless you have a certain amount of expertise. It's not very obvious from a static perspective either.PAUL ROBERTSOkay, but just from the recipient standpoint, even just checking the hash against or even just downloading the actual tool rather than just downloading whatever was sent to you in the ISO or I guess conceivably checking the hash value of what you were sent versus the actual developer's version. Official version would be enough to tip you off that something was amiss here, even if you couldn't tell exactly what.JOSEPH EDWARDSYeah, and it does take a bit of a technical step there. Not a lot of people are used to checking the hash values of programs on their computers.PAUL ROBERTSSo one of the things you noted was that a lot of the samples with APT groups like Lazarus were pretty conditioned to them building persistence features into their malware. So once they get a foothold in an environment, they really don't want to give it up. In this case, you noticed a lot of the samples that you were looking at actually didn't have, some did, but many did not. What would explain that?JOSEPH EDWARDSAnd I think this kind of ties into the fact that we've already mentioned these trojanized binaries came in a bunch of different flavors. And if you read the Microsoft report, there's just tons of different payloads. And from my research, I saw that some of them stored the DLL for the final payload in reverse. Sometimes it was encrypted, sometimes it was just there and just the plain DLL, the bytes of it. So it's clear that there's been a development process. They started off with a bit of a bare bones loader and then they went through different methods of flipping the bytes and perhaps working on evasion from antivirus and all of that kind of thing. But it's clear that their tool has been kind of evolving and that they have different ways of plugging in this loader framework into open source software. So it's clear that this tool has been evolving over time. And some of the earlier variants didn't seem to have persistence. But at the same time, if they have sort of a very hands on the keyboard and reactive approach to things, as soon as the victim executes this item, the threat actor is already on the line. They're already waiting so that they can deploy further payloads. They might not need persistence within the original payload because they're highly interactive. That's just one possibility. But I think it's clear that they had a bit of a tool life cycle here.PAUL ROBERTSAnd you mentioned the evasion features. What were some of the things that Lazarus group, this APT group, were doing to avoid detection by would-be victims? Some of the anti-detection features they had built into this attack.JOSEPH EDWARDSI would say that they didn't appear to care very much about being detected by antivirus. I would say the detection rates for these payloads were not very low. Pretty across the board. This looks bad from a static perspective, but from a dynamic perspective, they did kind of manage to avoid alerting the user by of course, this is a trojanized version of a regular open source software program. So if you run the payload, it looks like Putty or it looks like Type B and C, and it doesn't execute any of the malicious functionality unless you put these details in like the specific details that they've given you. And these are hard coded into the malware. So if you were executing this in a sandbox, you wouldn't get the malicious behavior unless you were working in a high interaction sandbox and you knew what to put in. So looking at this file by itself and without having the credentials, it evades detection from a dynamic perspective. But of course, static analysis is a whole different story.PAUL ROBERTSYeah. So I mean, what can organizations, what lessons can they take from that in terms of reliable ways to get some of this malware to sort of out itself within your environment?JOSEPH EDWARDSSure, there are various ways from a static perspective. Perhaps if you're an antivirus or security company to where you can build in detections for this kind of thing. It was pretty trivial to create YARA signatures for these types of payloads. From a dynamic perspective, having some kind of behavioral monitoring would be really good for any type of unsigned code. Of course, this code was not signed. Just open source compiled binaries. Other things that can kind of help with attacks like these are turning off automatic mounting of ISO files. So a lot of people have been kind of talking about how most users don't need ISO images. They're kind of mostly used by threat actors and perhaps IT professionals who have some reason for passing around maybe system images in ISO format...PAUL ROBERTSGenerally not job recruiters?JOSEPH EDWARDSRight. Yeah, so I mean, having some visibility and introspection into these kind of odd file formats that are mostly used by threat actors can really help a lot as well.PAUL ROBERTSAs you said, obviously there's a really big social engineering campaign component to this campaign. Multiple points of contact prior to the delivery of the ISO images and back and forth. So high touch social engineering campaign to get folks to download and install this stuff. So I guess one question is, is it enough for organizations to really just target that part of the attack chain, kill chain as it were, and say, just focus on educating your employees about this, make sure that they're aware of this particular attack vector? Or should they focus energy and resources more on the after effects, the detection piece of it, and some of these elements, the ISO part of it or what have you? Where are the best bet to put their resources, time and money?JOSEPH EDWARDSI definitely think that attacks like these, with a major social engineering component, you really have to kind of have defense in depth because a lot of people, a lot of organizations, they understand the phishing threat. They understand that they need an email gateway. But having somebody on LinkedIn who poses as a recruiter for your company is maybe a type of threat they're not familiar with. So large organizations like LinkedIn may need to be a bit more aggressive with some of the impersonation. Organizations may need to look out for it, just like they look out for typosquatting and typosquatting is when a threat actor registers a domain name similar to an organization's domain name to trick victims into going to a link that is actually malicious. So it's kind of a similar thing to where the platform LinkedIn will need to probably give this more attention. But organizations at all levels of this kind of thing, at the email level, but also at the impersonation level and even further, of course, at the behavioral monitoring of the networks.PAUL ROBERTSYeah, and I mean for organizations, too. Again, these are often developers being targeted. They tend to be sophisticated users, highly privileged users. Right. So the sort of user least privileged approach is probably not going to work particularly well with them because they have honest need to run open source tools like this and to be able to download and run it. So it's like that kind of breaks down in some ways. That leaves organizations in kind of a tough spot. Right. Especially if, again, these highly privileged users, developers, what have you, cis-admins are the ones being targeted in these attacks.JOSEPH EDWARDSExactly. In this campaign, ZINC was specifically targeting software engineers, site reliability engineers. So these assessments were definitely targeted at IT professionals and people proficient with these kinds of tools. So it definitely kind of reminds you to be on your toes no matter how deep you are into cybersecurity.PAUL ROBERTSOkay, what do we know about these attacks now? Obviously, Microsoft wrote about it a couple of few months ago. These still going on? Is this still a risk companies need to be aware of?JOSEPH EDWARDSI mean, definitely. I believe the first dream job type campaign was back in 2018, and it's been four years. They're still employing the same tactics, pretty much sometimes...PAUL ROBERTSIf it ain't broke, don't fix it.JOSEPH EDWARDSRight, exactly. So one of the tools that was used in this campaign that I didn't really dive into because people have done pretty good research on it already. ZINC will also send customized PDF readers. As you know, PDFs, typically people are opening PDFs in their browser these days, so it's typically pretty safe because browsers are sandboxed. But ZINC has a history of making their own tools, getting unsuspecting users to open them. And those PDFs being job descriptions, job applications. So these are very common techniques for them.PAUL ROBERTSThey're going to look normal. It's going to look like a normal PDF reader that you're familiar with, but it's got some malicious functionality that's been added to it that you're not going to be privy to?JOSEPH EDWARDSDefinitely.PAUL ROBERTSJoseph, anything I didn't ask you that I should have?JOSEPH EDWARDSI think we've covered everything pretty well, actually.PAUL ROBERTSWell, Joseph Edwards, Malware Researcher here at ReversingLabs. Thank you so much for coming on and speaking to us again on ConversingLabs. And I'm sure we're going to have you back.

FacebookFacebookXX / TwitterLinkedInLinkedInbluesky

Related episodes

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top














































































































Bluesky
Email Us

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky
ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
ConversingLabs - Sasa Zdjelar

Predictions For Software Supply Chain Security In 2026

Saša Zdjelar discusses the recent Notebook++ hack and what he thinks software supply chain security will look like in 2026.

Learn More about Predictions For Software Supply Chain Security In 2026
Predictions For Software Supply Chain Security In 2026
Steve Wilson of Exabeam - How AI Is Reshaping Security

How AI Is Reshaping Security

Paul Roberts chats with OWASP GenAI Security Project co-chair Steve Wilson about how AI is transforming cybersecurity and software development.

Learn More about How AI Is Reshaping Security
How AI Is Reshaping Security
Can Frameworks Stop Supply Chain Attacks

Can Frameworks Stop Supply Chain Attacks?

Learn More about Can Frameworks Stop Supply Chain Attacks?
Can Frameworks Stop Supply Chain Attacks?

Software Supply Chain Report 2026: Security Risks, AI, & What’s Next

Learn More about Software Supply Chain Report 2026: Security Risks, AI, & What’s Next
Software Supply Chain Report 2026: Security Risks, AI, & What’s Next

Get Started: Request a Demo

Learn more about how ReversingLabs can help your company reduce attack surface risks with deep software and file threat analysis to speed release and response.

Request a Demo

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.