A recent phishing campaign by the North Korean nation state hackers have successfully fooled a number of security professionals who have been involved in vulnerability research and development, according to a new report from the Google Threat Analysis Group.
The unnamed threat group used various social engineering tactics to present itself as “white hat” security colleagues, trapping unsuspecting experts, convincing them that they want to collaborate in research, the TAG report shows.
Most of this Russian involved creating a fake research blog, full of writings and analysis. The hackers even lured unsuspecting “invited” security writers to contribute, in an “apparent attempt to build additional credibility.” They also posted on YouTubeube videos through social media in which they deconstructed “false exploits” they had executed – another trust-building scheme.
A number of threat investigators spoke on Twitter on Monday night, claiming they were targeted by the campaign.
G / O Media may receive a commission
The hackers loaded their blog with malware, in an attempt to compromise the researchers who visited it. Clicking on a hosted record on the site delivered malware and created a backdoor that would “start to beacon” (ie communicate) with the hacker group’s command and control server. Zero-day the vulnerabilities were probably used in this campaign, as most of the targeted people are running the completely correct versions of the Chrome browser and versions of Windows 10, the report notes.
Other methods of implementing malware have taken place through “collaboration” in research. The report states:
“After establishing the initial communications, the actors would ask the targeted researcher if they want to collaborate in the vulnerability research together and then offer the researcher a Visual Studio project. Within the Visual Studio Project there would be a source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. DLL is a custom malware that would immediately start communicating with C2 domains controlled by actors. ”
A variety of tools were used to help defraud the threat group – including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, and others. In their report, TAG researchers listed URLs for a number now gone the social networks and Linkedin accounts they say were used in the hack.
“We hope this post will remind those in the security research community that they are targets for government-backed attackers and that they should remain vigilant when engaging with people they have not previously interacted with,” the TAG researchers wrote.
Researchers say they have not yet discovered “compromise mechanism ”hackers use against targeted security researchers, “but we welcome any information others may have. ”