Google said today that a government hacking group in North Korea aimed to engage members of the cyber-security community in vulnerability research.
The attacks have been overseen by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.
In a report published earlier today, Google said that North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord and KeyBase, to reach security researchers using fake individuals.
Email was also used in some instances, Google said.
“After establishing initial communication, actors will ask the targeted researcher if they want to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio project,” said security researcher Adam Wiedemann with Google TAG .
The Visual Studio project contained malicious code that installed malware on the target researcher’s operating system. The malware acted as a backdoor, contacted a remote command and control server and awaited the command.
New mysterious browser attack also discovered
But Wiedeman said attackers did not always deliver malicious files to their targets. In some other cases, he asked security researchers to visit the blog he hosted The blog[.]br0vvnn[.]When ()No access) is.
Google said the blog hosted malicious code, which infected the security researcher’s computer after accessing the site.
“A malicious service was installed on the researcher system and an in-memory backdoor would connect to an actor-owned command and control server,” said Weidman.
But Google TAG also said that many victims who accessed the site were “completely patchup and up-to-date Windows 10 and Chrome browser versions” and still get infected.
Details about browser-based attacks are still scant, but some security researchers believe the North Korean group used the combination of Chrome and Windows 10 zero-day vulnerabilities to deploy its malicious code. did.
As a result, the Google TAG team is currently asking the cybersecurity community to share more information about the attacks if any security researchers believe they were infected.
The Google TAG report included a list of links to fake social media profiles that North Korean actors used to lure and trick members of the Infosys community.
Security researchers are advised to review their browsing history and see if they have interacted with any of these profiles or if they have accessed the malicious blog .br0vvnn.io domain.
In the case of doing so, they are most likely to be infected, and some steps need to be taken to check their own systems.
The reason for targeting security researchers is very clear because it could allow the North Korean group to steal the exploits for vulnerabilities discovered by infected researchers, vulnerabilities that would cost the threat group any development costs in its own attacks Can not deploy with.
Meanwhile, several security researchers have already revealed on social media that they received messages from the accounts of the attackers, however, no one admitted to compromising the system.