Security researchers targeted by North Korean hackers
Over the past few months, hackers have been trying to surreptitiously backdoor the computer systems of a number of security researchers working on vulnerability research and development at different companies and organizations, the Google Threat Analysis Group (TAG) has revealed on Monday.
The hackers’ tactics
The hackers, who Google TAG believes are backed by the North Korean government, first created a blog, populated it with posts write-ups about vulnerabilities that have been publicly disclosed, then created Twitter, LinkedIn, Keybase, and Telegram accounts with fake personas and used them to try to contact the targeted security researchers directly.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Google TAG researcher Adam Weidemann explained.
“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
This clever approach was supplemented with another: they would share a link to the blog with the target researchers, and asked them to check out a write-up.
“Shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidemann noted.
It seems that the attackers might have exploited a zero-day Chrome vulnerability to pull off the compromise, though the team says that they are still unable to confirm the mechanism of compromise.
Have you been targeted?
Google TAG has shared a list of Twitter, LinkedIn, Keybase, and Telegram accounts the attackers used, the URL of the malicious blog, the URLs of command and control domains, malware hashes and host-related indicators of compromise.
The release of all this information prompted some of the targeted researchers to share their experiences:
Hey folks, story time. A guy going by the name James Willy approached me about help with a 0-day. After providing a writeup on root cause analysis I realized the visual studio project he gave me was backdoored.
— Alejandro Caceres (@_hyp3ri0n) January 26, 2021
WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021
At least two of mentioned accounts contacted me via DM. Always happy to help if I can, but their attempt was too shady to interact: https://t.co/yqJNc6CGML pic.twitter.com/3NCh912lWu
— Hossein Lotfi (@hosselot) January 26, 2021
Reverse engineer and threat intelligence analyst Kevin Perlow has also analyzed some of the malware used in these attacks.
“To date, we have only seen these actors targeting Windows systems as a part of this campaign,” Weidemann concluded.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
UPDATE (January 26, 2021, 10:40 a.m. PT):
Cisco has shared that some of its researchers have been targeted (unsuccessfully) by the attackers.
“It is worth noting that the attacker has a good grasp of the English language and made contact within the normal working hours for the researcher based on their time zone, denoting some care regarding the quality of the lure,” they said, and stressed the importance of remaining vigilant as a researcher.
“Your work is not only read and digested by these threat actors, you can also be a potential target for state-sponsored actors that carry out these attacks. Researchers should be encouraged to follow best practices and only conduct research in safe environments. This includes isolating samples and projects from each other in the event one has been backdoored by a nefarious party. These types of campaigns are likely more popular than we realize and as defenders, we must remain vigilant.”
UPDATE (January 29, 2021, 03:20 a.m. PT):
Microsoft has released additional information about the hackers’ tactics and technical details and IoCs for the malware they used.
“The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress. Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware patterns, and account affiliations,” Microsoft noted.