North Korean Actors Puts Vulnerability Researchers at Risk

Category: Threat Actor Activity | Industry: Global | Source: Google TAG

Since revealing that vulnerability researchers have become targets of North Korean actors in January 2021, Google's Threat Analysis Group (TAG) has continued investigating this concerning campaign. Insights unveiled in their latest report provide a glimpse into the campaign's current inner workings. The threat actors employ a methodical approach, utilizing social media platforms like X (formerly Twitter) to establish relationships with their targets, engaging in extended conversations and seeking collaboration on security-related topics. After initial contact, they transition to encrypted messaging apps like Signal, WhatsApp, or Wire, where they send malicious files containing a zero-day exploit to a undisclosed software embedded in popular software packages.

Google TAG reports following "successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain." Additionally, the threat actors have developed a Windows tool that appears as a diagnosis tool for Symbol files. While appearing harmless, the tool "has the ability to download and execute arbitrary code from an attacker-controlled domain.” Based on the tool's GitHub project, it has been available since at least September 30th, 2022. For researchers who have downloaded the tool, Google TAG advises researchers to take necessary precautions to ensure they’re utilizing a controlled environment with the ability to initiate “a reinstall of the operating system." This campaign serves as a reminder to security researchers examining malicious code to exercise caution and never be complacent when validating files and sources.