Group of hooded hackers shining through a North Korea flag digital cybersecurity concept
Michael Borgers, Getty Images / iStockphoto
Google said today that a group of hackers from the North Korean government is targeting members of the cybersecurity community engaged in vulnerability research.
The attacks were detected by the Google Threat Analysis Group (TAG), a Google security team that specializes in hunting down groups of advanced persistent threats (APT).
In a report published today, Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord and Keybase, to contact security researchers using fake personas.
E-mail has also been used in some cases, Google said.
“After establishing the initial communications, the actors would ask the target researcher if they would like to collaborate on the vulnerability research and then provide the researcher with a Visual Studio project,” said Adam Weidemann, security researcher at Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted like a back door, contacting a command and remote control server and waiting for commands.
New mysterious browser attack also discovered
But Wiedemann said that attackers do not always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they had hosted on blog[.]br0vvnn[.]io (don’t access)
Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.
“A malicious service was installed on the researcher’s system and a backdoor in memory was beginning to go to a command and control server owned by the actor,” said Weidemann.
But Google TAG also added that many victims who accessed the site were also running “fully corrected and updated versions of Windows 10 and the Chrome browser” and were still infected.
Details about browser-based attacks are still scarce, but some security researchers believe the North Korean group likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy its malicious code.
As a result, the Google TAG team is currently asking the cyber security community to share more details about the attacks, if any security researchers believe they have been infected.
The Google TAG report includes a list of links to the fake social media profiles that the North Korean actor used to attract and deceive members of the infosec community.
Security researchers are advised to review their browsing history and see if they interacted with any of these profiles or accessed the malicious domain blog.br0vvnn.io.
Image: Google
If they do, they are more likely to be infected and some steps need to be taken to investigate their own systems.
The reason for targeting security researchers is quite obvious, as it could allow the North Korean group to steal exploits for vulnerabilities discovered by infected researchers, vulnerabilities that the threat group could deploy in its own attacks at little or no cost. development.
In the meantime, several security researchers have already posted on social media that they have received messages from the attackers’ accounts, although none has admitted having their systems compromised.
ATTENTION! I can confirm that this is true and I was hit by @ z0x55g who sent me a PoC trigger from the Windows kernel. The vulnerability was real and complex to trigger. Luckily I only ran it on the VM .. in the end, the VMDK I was using was corrupted and not bootable, so it auto-imploded https://t.co/dvdCWsZyne
– Richard Johnson (@richinseattle) January 26, 2021