An ongoing cyber-espionage campaign is targeting security experts involved in vulnerability research and development at different companies and organizations, Google’s Threat Analysis Group has warned in its new report.
The attackers behind this campaign, attributed by TAG to a “government-backed entity based in North Korea”, are using a number of tricks to gain victims’ trust, mostly by posing as researchers themselves. These involve creating of their own research blogs and filling them with analysis of vulnerabilities that had been publicly disclosed to make themselves look legitimate.
The malicious actors also created multiple Twitter profiles for posting links to their blog, publishing videos of their claimed exploits and for amplifying and retweeting posts from other accounts under their control.
“While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,” the research team said. “ Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video.”
According to Google, the threat actor contacted their intended victims, asking to collaborate on vulnerability research. Aside from Twitter, the hackers also used LinkedIn, Telegram, Discord, Keybase and email to reach out to their targets, sending them a Microsoft Visual Studio Project with malware to infiltrate their systems. In some instances, victims’ computers were compromised after visiting a threat actor’s blog after following a link on Twitter. Both methods led to the installation of a malicious service and an in-memory backdoor on the victims’ computers that connected them to an attacker’s command and control server.
The researchers said that so far the hackers had targeted only Windows machines. The team recommends researchers who are concerned of being targeted by this campaign to compartmentalize their research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and their own security research.