The same North Korean threat actors that targeted security researchers in January appear to be readying a new campaign using a fake company (and associated social-media accounts) that aim to lure security professionals into another cyber-espionage trap.
Google discovered the site as well as Twitter and LinkedIn profiles for a fake company called “SecuriElite” that purports to be an offensive security firm located in Turkey, according to a post published Wednesday by the Google Threat Analysis Group (TAG). The company claims to offer pen-tests, software security assessments and exploits, researchers said.
However, there are clear indications that the company and its associated websites and profiles are bogus, and actually the work of Zinc, a North Korean advanced persistent threat group (APT) linked to a more notorious APT Lazarus, and later blamed for the January campaign.
Moreover, while researchers have seen no evidence yet of nefarious activity from attackers that leverage these web assets, it appears that attackers are gearing up to target security researchers again by the nature of the activity, according to Google TAG.
Like previous websites that Google TAG has observed Zinc establish, the SecuriElite website has a link to the group’s PGP public key at the bottom of the page, researchers noted.
“In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site, where a browser exploit was waiting to be triggered,” according to the post.
The social-media profiles associated with SecuriElite also are suspicious, with attackers once again posing as fellow security researchers interested in exploitation and offensive security, according to Google TAG.
“On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies,” researchers said in the post, which includes screenshots of the profiles and a tweet from SecuriElite.
Even though Google TAG researchers have not witnessed malicious activity yet, they have reported all identified social-media profiles to the respective platforms so they can take appropriate action.
They also added the URL for the SecuriElite website, www.securielite[.]com, to Google Safe Browsing, which will flag it to users for suspicious activity, according to the post. Researchers include a full list of links to the fake LinkedIn and Twitter profiles, as well as email addresses and links to attacker-owned domains associated with the operation in the post.
January Researcher Cyber-Campaign
That campaign — like the one recently observed — used elaborate social-engineering through Twitter and LinkedIn, as well as other media platforms like Discord and Telegram, to set up trust relationships by appearing to be legitimate researchers interested in offensive security. Once they established connections, attackers proceeded with malicious activity.
Specifically, attackers initiated contact by asking researchers if they wanted to collaborate on vulnerability research together. They demonstrated their own credibility by posting videos of exploits they’ve worked on, including faking the success of a working exploit for an existing, patched Windows Defender vulnerability that received great notoriety as one that had been exploited as part of the massive SolarWinds attack.
Eventually, attackers provided the targeted researchers with a Visual Studio Project infected with malicious code that could install a backdoor onto their system. Victims also could get infected by following a malicious Twitter link.
Security researchers infected in those attacks were running fully patched and up-to-date Windows 10 and Chrome browser versions, according to TAG, which signaled that hackers likely were using zero-day vulnerabilities in their campaign.
At the time, researchers surmised that the motive behind the attacks was to uncover and steal vulnerabilities to use in North Korean APT campaigns, they said.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)