Google’s Threat Analysis Group (TAG) has uncovered an ongoing cyber campaign targeting security experts working on vulnerability research and development at various organizations. In an official release, the security giant stated that threat actors behind the campaign are linked to North Korean government-backed entity. Google warned the security research community that they might be a target for attackers and asked to remain vigilant while connecting with unknown individuals on social networking platforms.
Attackers with Fake Personas
Cybercriminals created multiple fake profiles on various social media handles, including Twitter, Telegram, LinkedIn, Discord, and Keybase, to reach out to security professionals working in various vulnerability disclosure programs. Besides, hackers prepared research blogs containing write-ups and vulnerability disclosure analysis, illicitly obtained from legitimate security researchers, to build credibility and connect with the security research community.
“The actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control,” Google said.
Hacker-controlled Websites and Social Media Accounts
Exploit Research Blog:
Social Engineering Attacks on Researchers
Google stated that threat actors have been targeting security researchers using social engineering tactics. The computers of several security researchers were compromised after visiting attackers’ blogs or by clicking on fraudulent links on social media accounts.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains,” Google added.