A recent phishing campaign by North Korean nation state hackers successfully deceived a number of security workers involved in vulnerability research and development a new report from Google’s threat analysis group.
The unnamed threat group used various social engineering tactics to present themselves as co-withoed security specialists, who captured the unsuspecting experts by convincing them that they were seeking collaboration on research, according to the TAG report .
The bulk of this abuse was the creation of a fake research blog, full of headlines and analyzes. The hackers even lured unsuspecting ‘gas’ security writers to contribute in an apparent ‘attempt to build additional credibility’. They also posted YouTvideos via social media in which they deconstructed a ‘false exploitation’ they carried out – another plan to build trust.
A number of threat researchers took to Twitter on Monday night to claim that they had been targeted by the campaign.
G / O Media can get a commission
The hackers loaded their blog with malware, in an attempt to endanger researchers who visited it. By clicking on an entry offered on the site, malware led and created a backdoor that would start beaconing (i.e. to communicate) with the hacker group’s command and control server. Zero day vulnerabilities were probably used in this campaign, as a majority of targeted individuals fully patched the Chrome browser and Windows 10 versions, the report said.
Other methods of deploying malware have come about through ‘collaboration’ on research. The report reads:
‘After the actors have set up initial communication, they would ask the targeted researcher if they would like to collaborate on vulnerability research, and then provide a Visual Studio project to the researcher. Within the Visual Studio project, there would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed by Visual Studio Build Events. The DLL is custom malware that immediately starts communicating with the actor-controlled C2 domains. ”
A variety of tools used to help deceive the threat group – including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers listed the URLs for a number that has now expired social media and Linkedin accounts they say was used in the hood.
“We hope this message will remind those in the security research community that they are targets for attackers supported by the government and that they must remain vigilant when engaging in conversations with individuals with whom they have not been in contact before,” he said. TAG researchers wrote.
The researchers say they do not yet have the “mechanism of compromise ”uses hackers against targeted safety researchers, “but we welcome any information others may have. ‘