Lazarus Affiliate ‘ZINC’ Blamed for Campaign Against Security Researcher

New details emerge of how North Korean-linked APT won trust of experts and exploited Visual Studio to infect systems with ‘Comebacker’ malware.

Microsoft has attributed a recently discovered campaign to target security researchers with custom malware through elaborate socially-engineered attacks to an APT group affiliated with North Korea-linked Lazarus Group.

Google’s Threat Analysis Group (TAG) on Monday already sounded a warning about the attacks, which play the long game and leverage social media to set up trust relationships with researchers and then infect their systems with malware through either malicious web pages or collaborative Visual Studio projects. The attackers appear so far only to be targeting researchers using Windows machines.

Given Microsoft’s connection to the attacks, researchers from the Microsoft 365 Defender Threat Intelligence Team revealed Thursday in a blog post what they have seen of the campaign. They attributed the attacks to ZINC–a threat group associated with Lazarus–and said they first observed the malicious activity after Microsoft Defender for Endpoint detected an attack in progress.

Researchers said with “high confidence” that the campaign—which they saw targeting “pen testers, private offensive security researchers, and employees at security and tech companies”–looks like the work of ZINC because of its “observed tradecraft, infrastructure, malware patterns, and account affiliations.”

APT groups in North Korea are known to be closely affiliated and directly linked to the regime of Kim Jong Un. The largest and most prolific of those groups is Lazarus, which is one of several groups believed to be responsible for an attack last month on COVID-19 vaccine makers to steal intellectual property.

Microsoft’s threat analysis also sheds new light on one of two key attack vectors actors used, which was to provide researchers with a Visual Studio project infected with malicious code—which researchers identified as the Comebacker malware–if they agree to collaborate on a project. This scenario already was identified by Google TAG researchers in their advisory but not in great detail.

TAG’s initial alert revealed that attackers linked to North Korea were targeting security researchers in a campaign it said it had been tracking over the last several months that uses various means—including attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts—to interact with and attack security professionals at multiple organizations.

Because those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions, the hackers likely were using zero-day vulnerabilities in their campaign, according to TAG.

Microsoft cited Google TAG’s research for “capturing the browser-facing impact of this attack” and said it’s releasing its own findings “to raise awareness in the cybersecurity community about additional techniques used in this campaign and serve as a reminder to security professionals that they are high-value targets for attackers.”

The campaign observed by the Microsoft team saw ZINC beginning to build its reputation in the research community using Twitter in mid-2020. Threat actors began by “retweeting high-quality security content and posting about exploit research from an actor-controlled blog,” according to Microsoft.

The actor in question operated several accounts with about 2,000 combined followers, including “many prominent security researchers,” according to Microsoft.

In terms of the Visual Studio attack, the 365 Defender team said the malicious DLL file mentioned by Google researchers as setting up the command-and-control (C2) channel was disguised in, one of the pre-built binaries typically found in Visual Studio. Moreover, Microsoft Defender for Endpoint identified the DLLs as Comebacker malware.

“A pre-build event with a PowerShell command was used to launch Comebacker via rundll32,” according to Microsoft. “This use of a malicious pre-build event is an innovative technique to gain execution.”

Once the malicious Visual Studio Project file was built, the process drops C:\ProgramData\VirtualBox\update.bin and adds the file to an autostart registry key, according to Microsoft.

“The actors put some effort into modifying the Comebacker malware attributes between deployments; file names, file paths and exported functions were regularly changed so these static IOCs can’t be solely relied upon for dependable detection,” researchers explained.

The attack also uses a DLL called Klackring that registers a malicious service on the targeted machine, they noted. Researchers believe either the Comebacker malware or an unknown dropper deploys this service to C:\Windows\system32, saving it with the .sys file extension.

Suggested articles