Microsoft: North Korea-linked Zinc APT targets security experts

Pierluigi Paganini January 29, 2021

Microsoft, like Google TAG, observed a cyber espionage campaign aimed at vulnerability researchers that attributed to North Korea-linked Zinc APT group.

Researchers from Microsoft monitored a cyber espionage campaign aimed at vulnerability researchers and attributed the attacks to North Korea-linked Zinc APT group.

“In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress.” states the report published by Microsoft. “Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware patterns, and account affiliations.”

This week, Google Threat Analysis Group (TAG) also warned of North Korea-linked hackers targeting security researchers through social media.

According to the Google team that focuses on nation-state attacks, a North Korea-linked APT group has targeted experts that are working on the research of security vulnerability.

Microsoft reported that the threat actors attempted to get in contact with the researchers asking them to collaborate on vulnerability research projects.

The hackers employed a custom backdoor to compromise the systems of the vulnerability researchers.

According to Microsoft, the ‘ZINC’ APT group has been targeting security researchers, pen testers, employees at security firms for the past months.

The activity of the Zinc APT group, aka Lazarus, surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

The attackers targeted the researchers through multiple social networking platforms, including Twitter, LinkedIn, Telegram, Discord, and Keybase.

Threat actors used a network of fake profiles to get in contact with researchers of interest. In mid-2020, ZINC hackers created Twitter profiles for fake security researchers that were used to retweet security content and posting about vulnerability research. 

North Korea

Attackers used Twitter profiles for sharing links to a blog under their control (br0vvnn[.]io), to share videos of their claimed exploits, and for amplifying and retweeting posts from other accounts under their control.

Once established initial communications, the attackers would ask the targeted security researcher if they wanted to collaborate on vulnerability research together, and then shared with it a Visual Studio Project.

The Visual Studio project used by the attackers included the source code for exploiting the vulnerability along with an additional DLL that would be executed through Visual Studio Build Events, which is a backdoor.

The Visual Studio project was containing a malicious DLL that would be executed when researchers compiled the project.

The malicious code would lead to the installation of a backdoor that would allow the attackers to take over the target’s computer.

The attackers published a blog post titled “DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug” and shared it via Twitter. The researchers who visited the post from October 19 to 21, 2020, using the Chrome browser, were infected with a known ZINC malware. Microsoft researchers noticed that some of the victims were using fully patched browsers, a circumstance that suggests that attackers used 0-day exploits. Not all visitors to the site were infected.

Attackers also used other techniques to target security professionals, for example in some cases distributed blog posts as MHTML files that contained some obfuscated JavaScript that was pointing to a ZINC-controlled domain for further JavaScript to execute. 

In one case, attackers attempted to exploit, without success, the CVE-2017-16238 vulnerability in a vulnerable driver for the antivirus product called Vir.IT eXplorer.

Attackers also employed an encrypted Chrome password-stealer hosted on ZINC domain https://codevexillium[.]org

“If you visited the referenced ZINC-owned blog (br0vvnn[.]io), you should immediately run a full antimalware scan and use the provided IOCs to check your systems for intrusion. If a scan or searching for the IOCs find any related malware on your systems, you should assume full compromise and rebuild. Microsoft assesses that security research was the likely objective of the attack, and any information on the affected machine may be compromised.” concludes Microsoft.

“For proactive prevention of this type of attack, it is recommended that security professionals use an isolated environment (e.g., a virtual machine) for building untrusted projects in Visual Studio or opening any links or files sent by unknown parties.”

Microsoft also shared a list of IOCs observed during this activity. 

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zinc)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment