North Korea Targets Security Researchers in Elaborate 0-Day Campaign

APT FruityArmor and SandCat

Hackers masquerade as security researchers to befriend analysts and eventually infect fully patched systems at multiple firms with a malicious backdoor.

Hackers linked to North Korea are targeting security researchers with an elaborate social-engineering campaign that sets up trusted relationships with them — and then infects their organizations’ systems with custom backdoor malware.

That’s according to Google’s Threat Analysis Group (TAG), which issued a warning late Monday about a campaign it has tracked over the last several months that uses various means to interact with and attack professionals working on vulnerability research and development at multiple organizations.

The effort includes attackers going so far as to set up their own research blog, multiple Twitter profiles and other social-media accounts in order to look like legitimate security researchers themselves, according to a blog post by TAG’s Adam Weidermann. Hackers first establish communications with researchers in a way that looks like they are credibly working on similar projects, then they ask them to collaborate, and eventually infect victims’ machines.

The infections are propagated either through a malicious backdoor in a Visual Studio Project or via an infected website, he wrote. And moreover, those infected were running fully patched and up-to-date Windows 10 and Chrome browser versions — a signal that hackers likely are using zero-day vulnerabilities in the campaign, the researcher concluded.

TAG attributed the threat actors to “a government-backed entity based in North Korea.”

“They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,” according to the post. “Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.”

In addition to Twitter, threat actors also used other platforms, including LinkedIn, Telegram, Discord, Keybase and email to communicate with potential targets, Weidermann said. So far it seems that only security researchers working on Windows machines have been targeted.

Making Connections

Attackers initiate contact by asking a researcher if he or she wants to collaborate on vulnerability research together. Threat actors appear to be credible researchers in their own right because they have already posted videos of exploits they’ve worked on, including faking the success of a working exploit for an existing and recently patched Windows Defender vulnerability, CVE-2021-1647, on YouTube.

The vulnerability received notoriety as one that has been exploited for the past three months and leveraged by hackers as part of the massive SolarWinds attack.

“In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,” Weidermann explained.

If an unsuspecting targeted researcher agrees to collaborate, attackers then provide the researcher with a Visual Studio Project infected with malicious code. Several targets took to Twitter to describe their experiences.

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Weidermann wrote. “The DLL is custom malware that would immediately begin communicating with actor-controlled command-and-control (C2) domains.”

Victims also can be infected by following a Twitter link hosted on blog.br0vvnn[.]io to visit a threat actor’s blog, according to TAG. Accessing the link installs a malicious service on the researcher’s system that executes an in-memory backdoor that establishes a connection to an actor-owned C2 server, researchers discovered.

The TAG team so far could not confirm the mechanism of compromise, asking for help from the greater security community to identify and submit information through the Chrome Vulnerability Reward Program.

Researchers also did not specifically say what the likely motive was for the attacks; however, presumably the threat actors aim to uncover and steal vulnerabilities to use in North Korean advanced persistent threat (APT) campaigns.

Weidermann’s post includes a list of known accounts being used in the campaign, and he advised researchers who may have communicated with any of the accounts or visited related sites to review their systems for compromise.

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,” Weidermann wrote.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles