Google has released a report revealing that North Korean hackers are targeting through social media security researchers involved in a search for vulnerabilities. The attacks detected by Google Threat Analysis Group (TAG), a Google security team that specializes in APT hunting hacking groups.
More specifically, Google reported that North Korean hackers used profiles on various popular social media - such as TwitterThe LinkedInThe TelegramThe Discord and Keybase - to communicate with security investigators, using fake personas. In some cases, hackers even attempted to reach out to security investigators via email.
Adam Weidemann, a security researcher at Google TAG, said that after the hackers established the initial communications, they asked the target researcher if they wanted to collaborate on the vulnerability research, and then provided the researcher with a Visual Studio Project.
The Visual Studio Project contained malicious code that it was installing malware in the operating system of the targeted researcher. The malware was operating as backdoor, communicating with a remote C&C server and waiting for orders.
Wiedemann explained that the attackers did not always distribute malicious files to their targets. In some cases, security researchers have been asked to visit a blog hosted on the blog. [.] Br0vvnn [.] Io. According to Google, the blog hosted malicious code that "infected" the security researcher's computer after gaining access to the site. Specifically, Weidemann noted that a malicious service was being installed on the researcher's system and a backdoor in memory that began transferring data to a C&C server controlled by hackers.
The details of browser-based attacks are so far minimal. However, some security researchers believe that North Korean hackers may have used a combination of vulnerabilities in Chrome and Windows 10 to develop malicious code.
So the Google TAG team is asking the cybersecurity community to share more information about these attacks if any security investigators believe they have been infected.
The Google TAG report includes a list of links to fake social media profiles used by North Korean hackers to reach out to security investigators.
In addition, security investigators are advised to review their browsing history to see if they interact with any of these profiles or if they have access to the malicious domain. blog.br0vvnn.io. If so, they are more likely to be infected and will need to take some steps to investigate their systems.
According to ZDNet, North Korean hackers are targeting security researchers aiming to steal exploits for vulnerabilities discovered by infected researchers, vulnerabilities with which malicious agents could develop their attacks with little or no development.
Meanwhile, several security investigators have already revealed on social media that they have received messages from the attackers' accounts, although no one has admitted that systems have been compromised.