North Korean hackers are targeting security researchers, warns Google

Hemani Sheth Mumbai | Updated on January 26, 2021

Google’s Threat Analysis Group (TAG) researchers have discovered ongoing campaigns targeting cybersecurity researchers working for different companies and organisations.

“Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organisations,” Adam Weidemann, Threat Analysis Group said in a blog post.

“The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers,” Weidemann said.

Cybercriminals are leveraging multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email, according to the post.

A detailed list of known accounts and aliases has been posted on the blog published by Google. To date TAG researchers have discovered that these hackers are primarily targeting Windows systems as a part of this campaign.

Also read: Indigo reports its servers hacked in December

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control,” explained Weidemann.

“Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,” he further explained.

While researchers have been unable to verify the authenticity of all of these exploits they have found that the attackers have faked at least one success of their claimed working exploit.

“The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Weidemann said.

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains,” he further explained.

Also read: Hackers viewed source code, but could not make changes: Microsoft

Apart from targeting researchers through social engineering, the targets have been compromised after visiting the actors’ blog on a few occasions.

“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” according to Weidemann’s blog.

TAG researchers are yet to confirm the mechanism of compromise as at the time, the researchers had been using fully patched and up-to-date Windows 10 and Chrome browser versions.

Anyone with information on Chrome vulnerabilities, including those being exploited in the wild (ITW) is eligible for reward payout under Chrome’s Vulnerability Reward Program.

“We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process,” the blog read.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on January 26, 2021
This article is closed for comments.
Please Email the Editor