North Korea-linked campaign targets security experts via social media

Pierluigi Paganini January 26, 2021

Google TAG is warning that North Korea-linked hackers targeting security researchers through social media.

Google Threat Analysis Group (TAG) is warning that North Korea-linked hackers targeting security researchers through social media.

According to the Google team that focuses on nation-state attacks, a North Korea-linked APT group has targeted experts that are working on the research of security vulnerability.

“Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations.” reads the TAG’s report. “The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers”

The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.

North Korea

Threat actors used a network of fake profiles to get in contact with researchers of interest, in some cases the victims were also contacted via email.

In an attempt to get in contact with security researchers, the threat actors created a research blog and used a network of Twitter profiles to interact with potential targets. Attackers used Twitter profiles for sharing links to their blog, to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.

“The actors have been observed targeting specific security researchers by a novel social engineering method.” continues the post. “After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project.”

The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.

Experts also reported that threat actors used social engineering attacks to target the researchers. The experts noticed that attackers conducted watering hole attacks, victims were compromised after visiting the threat actors’ blog. The attackers have shared a link on Twitter to a post on blog.br0vvnn[.]io, the site was designed to deliver a malicious service on the researcher’s system and inject a backdoor directly into the memory of the target system. 

Google TAG experts noticed that this mechanism likely involved zero-day exploits because its was able to infect visitors using fully patched and up-to-date Windows 10 and Chrome browser versions.

“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome’s Vulnerability Reward Program.” continues the report. “We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.”

Google TAG experts call to action the cybersecurity community to share details about these recent attacks.

Google TAG report includes a list of actor controlled sites and accounts and is inviting security researchers to review their online activities and contacts to discover if they gave interacted in some ways with these threat actors.

Security researchers are advised to review their browsing histories and see if they interacted with the threat actors.

“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided below. To date, we have only seen these actors targeting Windows systems as a part of this campaign.” concludes Google.

“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment