Zinc APT is Conducting an Attack Against Victims in Critical Sectors

As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.

Campaigns designed to attack 

Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.

• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.

• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.

• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.

Is there anyone who has been affected by the crisis?

There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.