In the past few months, hackers have been trying to steal the computer systems of a number of security researchers who work in various companies and organizations to research and develop vulnerabilities, the Google Threat Analysis Group (TAG) announced on Monday .
The hacker’s tactics
The hackers, who Google TAG believes are backed by the North Korean government, first created a blog, filled it with posts about publicly known vulnerabilities, and then faked Twitter, LinkedIn, Keybase and Telegram accounts with fake personas and used it to try to contact the security researcher directly.
“After establishing the first communication, the actors asked the target researcher whether they would like to work together on vulnerability research, and then made a Visual Studio project available to the researcher,” explained Google TAG researcher Adam Weidemann.
“Inside the Visual Studio project is source code to exploit the vulnerability and an additional DLL that runs through Visual Studio build events. The DLL is custom malware that immediately starts communicating with actor-controlled C2 domains. “
This clever approach was complemented by another: they shared a link to the blog with the target researchers and asked them to look at an article.
“Shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor began beaconing to an on-command command and control server. At the time of these visits, fully patched and current Windows 10 and Chrome browser versions were running on the victim systems, ”said Weidemann.
It appears that the attackers exploited a zero-day Chrome vulnerability to reach the compromise, although the team says they still cannot confirm the compromise mechanism.
Have you been targeted?
Google TAG shared A list of Twitter, LinkedIn, Keybase and Telegram accounts of the attackers used, the URL of the malicious blog, the URLs of the command and control domains, malware hashes, and host-related compromise indicators.
Publishing all of this information prompted some of the target researchers to share their experiences:
Hey guys, story time. A guy named James Willy came up to me to help me with a 0 day. After writing a root cause analysis report, I found that the Visual Studio project he gave me was behind the door.
– Alejandro Caceres (@ _hyp3ri0n) January 26, 2021
WARNING! I can attest that this is true and I was hit by @ z0x55g Who sent me a Windows kernel PoC trigger? The vulnerability was real and complex to trigger. Fortunately, I only ran it in VM. In the end, the VMDK I was using was actually corrupted and not bootable so it imploded itself https://t.co/dvdCWsZyne
– Richard Johnson (@richinseattle) January 26, 2021
– Hossein Lotfi (@hosselot) January 26, 2021
Reverse Engineer and Threat Intelligence Analyst Kevin Perlow also has analyzed Some of the malware used in these attacks.
“So far we have only directed these actors to Windows systems as part of this campaign,” Weidemann concluded.
“If you are concerned that you may be targeted, we recommend that you break up your research using separate physical or virtual machines for general Internet browsing, interacting with others in the research community, accepting third-party files, and doing your own security research . “