Campaign targeting cybersecurity researchers detected
Google has identified an ongoing campaign targeting cybersecurity researchers working on study of vulnerabilities across multiple companies and organizations, suspected to be perpetrated by an entity which belongs to the North Korean government, the company said.
The cybercriminals are also reported to have a blog and multiple profiles on communication platforms, such as Twitter, LinkedIn, Telegram, Discord, Keybase and email, to carry out the cyberattacks identified so far.
On the one hand, the attackers have employed social engineering against the researchers to infect their systems. Firstly, the technique consisted of contacting the victim and asking if they would like to collaborate jointly in vulnerability research. Then it provides a Visual Studio project that contains, in addition to the vulnerability exploit, a DLL, which is a custom malware to communicate with the C&C domains controlled by the attackers.
On the other hand, other researchers' computers have also been infected, following a currently unknown mechanism, after visiting a blog post via a Twitter link. In this case, a malicious service is installed which establishes a backdoor to the victim's memory.
Google urges researchers not to interact with unknown people and to separate their professional activity from their daily activities, using different physical devices or virtual machines.
[Update 31/03/2021] Cybercriminals have created a new website associated with a fake company called «SecuriElite» which offers pentests and security assessments of software and exploits. There is not any evidence that this website offers malicious content, but it has a link to the PGP public key which acted as lure for triggering a browser exploit in the case of the blog. It is kept on Google Safebrowsing as a precaution.
- 25/01/2021 blog.google New campaign targeting security researchers
- 25/01/2021 bleepingcomputer.com North Korean hackers are targeting security researchers with malware, 0-days
- 26/01/2021 zdnet.com Google: North Korean hackers have targeted security researchers via social media
- 27/01/2021 unaaldia.hispasec.com Destapada una campaña contra investigadores de seguridad
- 28/01/2021 microsoft.com [Update 29/01/2021] ZINC attacks against security researchers
- 31/03/2021 blog.google [Update 31/03/2021] Update on campaign targeting security researchers