A recent phishing campaign by a North Korean nation-state hackers successfully tricked a number of security professionals who were involved in vulnerability research and development, according to a new report from the Google Threat Analysis Group.
The unidentified threat group used various social engineering tactics to impersonate “white hat” security experts, arresting unsuspecting experts by convincing them that they were looking to collaborate in the research, shows the TAG report.
Most of that trick involved creating a fake research blog, filled with articles and reviews. Hackers even attracted unsuspecting “guest” security writers to contribute, in an apparent “attempt to build additional credibility”. They also posted YouTub videos via social media in which they deconstructed “fake exploits” they had executed – another scheme to build trust.
Several threat researchers spoke on Twitter late on Monday, claiming they were targets of the campaign.
G / O Media can receive a commission
Hackers loaded their blog with malware in an attempt to compromise the researchers who visited it. Clicking on an article hosted on the site delivered malware and created a backdoor that “would start beaconing” (that is, communicating) with the hackers’ command and control server. Day zero vulnerabilities were probably used in this campaign, as the majority of targeted individuals were running the Chrome browser and fully corrected versions of Windows 10, the report notes.
Other methods of deploying malware occurred through “collaboration” in the research. The report states:
“After establishing the initial communications, the actors would ask the target researcher if they would like to collaborate in the vulnerability research and then provide the researcher with a Visual Studio Project. Within the Visual Studio project would be the source code for exploiting the vulnerability, as well as an additional DLL that would be run through Visual Studio compilation events. The DLL is custom malware that would immediately start communicating with actor-controlled C2 domains. “
A variety of tools were used to help disappoint the threat group – including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers listed the URLs for a series now extinct social media and Linkedin accounts that they say were used in the hack.
“We hope this post will remind members of the security research community that they are targets of government-supported attackers and should remain vigilant when interacting with individuals they have not previously interacted with,” wrote TAG researchers.
The researchers say they have not yet discovered the “compromise mechanism ”that hackers used against the target security researchers, “but we appreciate any information that others may have. “