{"id":39296,"date":"2021-01-26T01:14:00","date_gmt":"2021-01-26T01:14:00","guid":{"rendered":"http:\/\/94c8886c-faa8-4567-a0bb-d750182844dd"},"modified":"2021-01-26T01:14:00","modified_gmt":"2021-01-26T01:14:00","slug":"google-north-korean-hackers-have-targeted-security-researchers-via-social-media","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/google-north-korean-hackers-have-targeted-security-researchers-via-social-media\/","title":{"rendered":"Google: North Korean hackers have targeted security researchers via social media"},"content":{"rendered":"
\"hooded-hackers-north-korea.jpg\"<\/span>
<\/p>\n

Group of hooded hackers shining through a digital north korean flag cybersecurity concept<\/p>\n

<\/span> Michael Borgers, Getty Images\/iStockphoto <\/span><\/figcaption><\/figure>\n

Google said today that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research.<\/p>\n

The attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.<\/p>\n

In a report published earlier today, Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using fake personas.<\/p>\n

Email was also used in some instances, Google said.<\/p>\n

“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said Adam Weidemann, a security researcher with Google TAG.<\/p>\n

The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor, contacting a remote command and control server and waiting for commands.<\/p>\n

This malware was later linked to the Lazarus Group, a well-known North Korean state-sponsored operation.<\/p>\n

\n
\n
\n

KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. “Manuscrypt” (also known as FALLCHILL) is typically used by the Lazarus APT. \ud83d\udc49 pic.twitter.com\/hXxuJIj9Lc<\/a><\/p>\n

\u2014 Costin Raiu (@craiu) January 26, 2021<\/a><\/p><\/blockquote><\/div>\n<\/figure>\n

New mysterious browser attack also discovered<\/h3>\n
<\/section>\n

But Wiedemann said that the attackers didn’t always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they had hosted at blog[.]br0vvnn[.]io<\/strong> (do not access<\/em>).<\/p>\n

Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.<\/p>\n

“A malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann said.<\/p>\n

But Google TAG also added that many victims who accessed the site were also running “fully patched and up-to-date Windows 10 and Chrome browser versions” and still got infected.<\/p>\n

Details about the browser-based attacks are still scant, but some security researchers believe the North Korean group most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their malicious code.<\/p>\n

As a result, the Google TAG team is currently asking the cyber-security community to share more details about the attacks, if any security researchers believe they were infected.<\/p>\n

The Google TAG report<\/a> includes a list of links for the fake social media profiles that the North Korean actor used to lure and trick members of the infosec community.<\/p>\n

Security researchers are advised to review their browsing histories and see if they interacted with any of these profiles or if they accessed the malicious blog.br0vvnn.io domain.<\/p>\n

\"nk-apt-twitter-profiles.png\"<\/span>