Security researchers targeted by North Korean actors.
Google's Threat Analysis Group (TAG) warns that a North Korean state-sponsored actor is targeting security researchers via fake profiles on Twitter, LinkedIn, Telegram, Discord, and Keybase. The attackers purported to be analyzing a vulnerability and invited the researchers to work with them:
"The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains."
In one case, the actor made a YouTube video that appeared to show successful exploitation of the recently patched Windows Defender vulnerability CVE-2021-1647, although observant viewers determined that the video had been faked.
The attackers also set up a research blog that used an apparently unknown vulnerability to install backdoors on visitors' systems. Google's researchers note, "At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program."
TAG has published a list of the attackers' social media accounts, infrastructure, and IOCs. The researchers advise, "If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties, and your own security research."
Cisco Talos confirmed that its researchers had been targeted by this campaign, although they "did not engage to the point where the malicious files were provided." Talos notes that "the attacker has a good grasp of the English language and made contact within the normal working hours for the researcher based on their time zone, denoting some care regarding the quality of the lure." ZDNet cites numerous other researchers who shared that they had been targeted.
On Thursday Microsoft attributed the recently exposed long-con social engineering of vulnerability researchers to the North Korean group Microsoft calls "Zinc" and most others know as the Lazarus Group. Their report confirms much of what Google’s researchers had concluded about the threat actors’ methods. “After building their reputation across their established social media accounts,” Microsoft writes, "the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs."
Redmond provided a set of indicators of compromise, and they offer some advice for those who might be affected. Should you have visited one of the blogs owned and operated by Zinc (Microsoft’s report has a list of them) you’d do well to run a "full antimalware scan and use the provided IOCs to check your systems for intrusion." If you find any of Zinc’s malware, assume your system is fully compromised and rebuild it. To avoid being hit by something like this, Microsoft advises security professionals to use a virtual machine when they’re building untrusted projects in Visual Studio, or when they’re opening links or files sent by parties unknown.
For more, see the CyberWire Pro Research Briefing.