Google said today that a hacker group of the North Korean government is targeting members of the cybersecurity community who are involved in vulnerability research.
The attacks were spotted by the Google Threat Analysis Group (TAG), Google̵
In a report released earlier today, Google said that hackers from North Korea used multiple accounts on various social networks, such as Twitter, LinkedIn, Telegram, Discord and Keybase, to connect security researchers using fake people.
In some cases, email is also used, Google said.
“Once the initial communication is established, the actors will ask the target researcher if they want to collaborate together to study the vulnerability and then provide the researcher with a Visual Studio project,” said Adam Weidemann, a security researcher at Google TAG.
The Visual Studio project contains malicious code that installs malware into the target researcher’s operating system. Malicious software acts as a backdoor, connecting to a remote command and control server and waiting for commands.
A new mysterious browser attack has also been detected
But Wiedemann said the attackers did not always distribute malicious files to their targets. In some other cases, they asked security researchers to visit the blog they hosted blog[.]бр0ввнн[.]I (you do not have access).
Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.
“A malicious service was installed in the researcher’s system, and the back door in memory would start signaling to an actor-owned command and control server,” Weidemann said.
Google TAG also added that many victims who had access to the site also used “a fully patched and up-to-date version of the Windows 10 and Chrome browser” and still became infected.
Details of browser-based attacks are still scarce, but some security researchers believe the North Korean group most likely used a combination of zero-day vulnerabilities in Chrome and Windows 10 to deploy their malicious code.
As a result, the Google TAG team is currently asking the cybersecurity community to share more details about the attacks if a security researcher believes they have been infected.
The Google TAG report includes a list of links to fake social media profiles that the North Korean actor uses to entice and deceive members of the infosec community.
Security researchers are advised to review their browsing history and see if they have interacted with any of these accounts or have accessed the malicious blog.br0vvnn.io domain.
If they have done so, they are most likely infected and certain steps need to be taken to investigate their own systems.
The reason for targeting security researchers is quite obvious, as it could allow the North Korean group to steal exploits for vulnerabilities discovered by infected researchers, vulnerabilities that the threat group could use in its own attacks with little or no development costs.
Meanwhile, several security researchers have already revealed on social media that they have received messages from the attackers’ accounts, although no one has admitted that he was compromised.