Group of hood hijackers shining through a digital cyber security concept in North Korea
Michael Borgers, Getty Images / iStockphoto
Google said today a North Korean hacking group has targeted members of the cyber security community who are conducting research on vulnerabilities.
The attacks were spotted by the Google Threat Analysis Group (TAG), a Google security team specializing in hunting advanced persistent threat groups (APT).
In a report published earlier today, Google said North Korean hackers used various profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord and Keybase, to reach out to security investigators using fake personas.
Google also used email in some cases.
“After the initial communication, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research and then provide the Visual Studio project to the researcher,” said Adam Weidemann, a security researcher at Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor and contacted a remote server and control service and waited for commands.
New mysterious browser attack also discovered
But Wiedemann said the attackers did not always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they hosted blog[.]br0vvnn[.]io (do not gain access).
Google said the blog offered malicious code that infected the security researcher’s computer after he accessed the site.
“A malicious service has been installed on the researcher’s system and a backdoor in memory will start to make a commander and control service of an actor,” Weidemann said.
But Google TAG also added that many victims who visited the site also “used full and updated versions of Windows 10 and Chrome browser” and still became infected.
Details of the browser-based attacks are few and far between, but some researchers believe the North Korean group may have used a combination of zero-day vulnerabilities in Chrome and Windows 10 to deploy their malicious code.
As a result, the Google TAG team is currently asking the cyber security community to share more details about the attacks, should any security investigators believe they are infected.
The Google TAG report lists links to fake social media profiles used by the North Korean actor to lure and mislead members of the infosec community.
Security researchers are advised to review their browser history and see if they are dealing with any of these profiles and if they have accessed the malicious blog.br0vvnn.io domain.
Image: Google
If they did, they are likely to be infected, and certain steps must be taken to investigate their own systems.
The reason for the safety of researchers is quite obvious, as it could enable the North Korean group to steal exploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group in its own attacks with little or no can not use development costs.
Meanwhile, several security researchers have already announced on social media that they have received messages from the attackers’ accounts, although no one has acknowledged that systems have been compromised.
WARNING! I can confirm that this is true and that I was hit @ z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complicated to cause. Luckily I only managed it in the VM. Eventually the VMDK I used was corrupt and not bootable, so it self-implied https://t.co/dvdCWsZyne
– Richard Johnson (@richinseattle) 26 January 2021