A recent fishing campaign by the North Korean nation-state hackers reportedly successfully tricked several security professionals who were involved in vulnerability research and development a new report from the Google Threat Analysis Group.
The unnamed threatening group used various social engineering tactics to position themselves as fellow security specialists in the “white hat”, capturing unsuspecting experts in convincing them that they were seeking to collaborate in the investigation, according to the TAG report.
Most of this deception consisted of the creation of a fake research block, full of essays and analysis. Hackers were even tempted to contribute unsuspecting “guest” security writers, in an apparent “attempt to generate additional credibility.” They also posted on YouTube videos through social media in which they deconstructed “false feats” they had executed, another scheme to build trust.
Several investigators on threats took to Twitter on Monday night, claiming they had been the target of the campaign.
G / O Media may receive a commission
Hackers loaded his blog with malware, in an attempt to compromise the investigators who visited it. Clicking on an annotation hosted on the site generated malware and created a backdoor that would “start tagging” (that is, communicating) with the pirate group’s command and control server. computers. Day zero vulnerabilities are likely to be used in this campaign, as most target individuals were using fully corrected versions of the Chrome browser and Windows 10, the report notes.
Other methods of deploying malware occurred through “collaboration” in research. The report says:
“After establishing the initial communications, the actors would ask the target researcher if they wanted to collaborate together in the vulnerability research and then provide the researcher with a Visual Studio project. Within the Visual Studio Project there would be a source code to exploit the vulnerability, as well as an additional DLL that would run through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. “
Various tools were used to help deceive the threatening group, including emails, fake Twitter and Telegram accounts, LinkedIn, Keybase, And others. In their report, TAG researchers listed the URLs for a number of already missing social media and Linkedin accounts that say were used in the hack.
“We hope this message reminds people in the security research community that they are targets of government-backed attackers and should be vigilant when interacting with individuals with whom they have not previously interacted,” TAG researchers wrote.
Researchers say they have not yet discovered the “compromise mechanism ”that hackers used against targets security researchers, “but we welcome any information other people have. “