Google on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.
The internet giant’s Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust.
The goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice.
“Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,” said TAG researcher Adam Weidemann.
The attackers created as many as 10 fake Twitter personas and five LinkedIn profiles, which they used to engage with the researchers, share videos of exploits, retweet other attacker-controlled accounts, and share links to their purported research blog.
In one instance, the actor used Twitter to share a YouTube video of what it claimed to be an exploit for a recently patched Windows Defender flaw (CVE-2021-1647), when in reality, the exploit turned out to be fake.
The North Korean hackers are also said to have used a “novel social engineering method” to hit security researchers by asking them if they would like to collaborate on vulnerability research together and then provide the targeted individual with a Visual Studio Project.
This Visual Studio Project, besides containing the source code for exploiting the vulnerability, included a custom malware that establishes communication with a remote command-and-control (C2) server to execute arbitrary commands on the compromised system.
Kaspersky researcher Costin Raiu, in a tweet, noted the malware delivered via the project shared code-level similarities with Manuscrypt (aka FAILCHILL or Volgmer), a previously known Windows backdoor deployed by the Lazarus Group.
What’s more, TAG said it observed several cases where researchers were infected after visiting the research blog, following which a malicious service was installed on the machine, and an in-memory backdoor would begin beaconing to a C2 server.
With the victim systems running fully patched and up-to-date versions of Windows 10 and Chrome web browser, the exact mechanism of compromise remains unknown. But it’s suspected that the threat actor likely leveraged zero-day vulnerabilities in Windows 10 and Chrome to deploy the malware.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Weidemann said.
UPDATE (28 Jan, 2021): Microsoft releases more information on this campaign
In a separate analysis, Microsoft corroborated the findings, attributing the attacks to a threat actor it calls ZINC, also known as Lazarus Group or Hidden Cobra.
The Windows maker said the campaign took roots in mid-2020 when the adversary “started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog.”
Microsoft’s analysis of the malicious DLL (dubbed “Comebacker”) has also revealed the group’s attempts to evade detection via static indicators of compromise (IoCs) by frequently changing file names, file paths, and exported functions. “We were first alerted to the attack when Microsoft Defender for Endpoint detected the Comebacker DLL attempting to perform process privilege escalation,” the company said.
That’s not all. With some researchers infected simply by visiting the website on fully patched systems running Windows 10 and Chrome browser, the company suspects a Chrome exploit chain leveraging zero-day or patch gap exploits was hosted on the blog, leading to the compromise.
“A blog post titled DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug, was shared by the actor on October 14, 2020 from Twitter,” the researchers said. “From October 19-21, 2020, some researchers, who hadn’t been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.”