A recent phishing campaign by the North Korean nation-state hackers have successfully duped a number of security professionals involved in vulnerability research and development, said a new report of Google’s Threat Analysis Group.
The unnamed threat group used various social engineering tactics to pose as fellow “ white hat ” security specialists, trapping the unsuspecting experts by convincing them they wanted to collaborate on investigations, according to the TAG report.
Most of this ruse involved setting up a fake research blog, filled with articles and analysis. The hackers even lured in unsuspecting “guest” security writers to contribute, in an apparent “attempt to build additional credibility.” They also posted YouTube videos via social media deconstructing the “fake exploits” they had carried out – another trust-building scheme.
A number of threat researchers spoke out on Twitter Monday evening, claiming they were the target of the campaign.
G / O Media can receive a commission
The hackers loaded their blog with malware, trying to endanger researchers who visited it. Clicking on an article hosted on the site generated malware and created a back door that would initiate “beaconing” (ie, communicating) with the hacker group’s command and control server. Zero day vulnerabilities were likely used in this campaign, as a majority of the targeted individuals were using fully patched Chrome browser and Windows 10 versions, the report notes.
Other methods of deploying malware took place through “collaboration” in research. The report states:
“After establishing the initial communication, the actors asked the intended researcher if they wanted to collaborate on vulnerability research, and then gave the researcher a Visual Studio project. Within the Visual Studio project would be the source code for exploiting the vulnerability as well as an additional DLL that would be run through Visual Studio Build Events. The DLL is custom malware that would immediately start communicating with actor-controlled C2 domains. “
A variety of tools were used to aid in the threat group’s deception – including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers named the URLs for some now-defunct social media and Linkedin accounts they say were used in the hack.
“We hope this post will remind those in the security research community that they are the targets of government-backed attackers and should remain vigilant when dealing with individuals with whom they have not previously interacted,” wrote TAG researchers.
The researchers say they are the “compromise mechanism ”that the hackers used against targets security researchers, “but we welcome any information that others have. “