North Korean hackers target security researchers

A recent phishing campaign by a North Korean nation state hackers have successfully fooled a number of security professionals involved in research and development of vulnerabilities, according to a new report from Google’s Threat Analysis Group.

The unnamed threat group used various social engineering tactics to masquerade as fellow ‘white hat’ security specialists, tricking unsuspecting experts into convincing them that they were looking to collaborate on research, the report shows. TAG report.

Most of this ruse involved setting up a fake research blog, filled with reviews and analysis. The hackers even lured unsuspecting “guest” security editors to contribute, in an apparent “attempt to build credibility.” They also published YouTube videos via social media in which they deconstructed the “fake exploits” they had performed – another plan to build trust.

A number of threat researchers took to Twitter on Monday evening, saying they had been targeted by the campaign.

The hackers loaded their blog with malware, in an attempt to compromise the researchers who visited it. Clicking on an article hosted on the site delivered malware and created a backdoor that would “begin to beacon” (that is, communicate) with the hacker group’s command and control server. . Zero days vulnerabilities were likely used in this campaign, as the majority of those targeted were running fully patched Chrome browser and Windows 10 versions, the report notes.

Other methods of malware deployment have taken place through “research collaboration”. The report states:

“After establishing the initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio project. In the Visual Studio project, there would be source code to exploit the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with C2 domains controlled by the actor. “

A variety of tools were used to help deceive the group of threats, including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers listed the URLs for a number of missing social media and Linkedin accounts they say were used in the hack.

“We hope this article serves as a reminder to members of the security research community that they are the target of government-backed attackers and that they must remain vigilant when interacting with people they do not have. still interacted, ”the TAG researchers wrote.

The researchers say they have not yet discovered the “compromise mechanism ‘hackers used against targeted security researchers, “but we welcome any information that others may have. “