Google’s threat analysis team released an article that outlined an attack campaign being used by North Korean state-sponsored threat actors targeting security researchers. The threat actors would use social media to create fake personas that appeared to be threat researchers. The accounts posted blogs and videos that the threat actors put together pretending to describe new vulnerabilities in software. After the persona is created, the threat actors will use the accounts to reach out to targeted security professionals and ask them if they could work together. If the victim agreed, the attackers would send a Visual Studio project to the researcher that contained a PoC (Proof of Concept) exploit along with a hidden DLL. Once opened, the project would run a PowerShell command that checked if the victim was running 64-bit Windows 10, Windows Server 2019, or Windows Server 2016. If the checks passed, the PowerShell command would run the malicious DLL using rundll32.exe. The DLL is a custom backdoor that calls to a Command-and-Control server. Google states the main reason for this attack is to steal other exploit code from researchers that they are working on.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is