Google’s threat analysis team released an article that outlined an attack campaign being used by North Korean state-sponsored threat actors targeting security researchers. The threat actors would use social media to create fake personas that appeared to be threat researchers. The accounts posted blogs and videos that the threat actors put together pretending to describe new vulnerabilities in software. After the persona is created, the threat actors will use the accounts to reach out to targeted security professionals and ask them if they could work together. If the victim agreed, the attackers would send a Visual Studio project to the researcher that contained a PoC (Proof of Concept) exploit along with a hidden DLL. Once opened, the project would run a PowerShell command that checked if the victim was running 64-bit Windows 10, Windows Server 2019, or Windows Server 2016. If the checks passed, the PowerShell command would run the malicious DLL using rundll32.exe. The DLL is a custom backdoor that calls to a Command-and-Control server. Google states the main reason for this attack is to steal other exploit code from researchers that they are working on.
Analyst Notes
Since the release from Google, many security researchers have taken to Twitter and other social media platforms to share their experience of being targeted in this campaign. Everyone needs to be aware of who they are talking to online. Even security professionals can fall victims to attacks. No one should ever open documents of any kind from people that they do not know. It is not enough to simply check blogs and online publications credited to a person to verify that they are trustworthy—security researchers should check with members of trust groups to learn more about the reputation of people who claim to be researchers before collaborating with them. Security researchers should also examine any files that are sent from a new contact with the same care and caution that they use when examining malware samples, and share their experiences with other trusted security researchers if they find that someone has tried to trick them. The information security research community is small and tight-knit enough that everyone who is part of it should be looking out for their trusted contacts and sharing information about threats to help everyone stay safe.
More can be read here: bleepingcomputer.com/news/security/north-korean-hackers-are-targeting-security-researchers-with-malware-0-days/
