North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
In recent weeks, threat actors associated with North Korea continue to target the cybersecurity community by using a zero-day bug in unspecified software to infiltrate their machines.
The findings come from Google’s Threat Analysis Group (TAG), which found that the adversary was creating fake accounts on social media platforms like X (formerly Twitter) and Mastodon to build relationships with potential targets and build trust.
“In one case, they had a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” said security researchers Clement Lecigne and Maddie Stone. said. “After initial contact via X, they migrated to an encrypted messaging app such as Signal, WhatsApp or Wire.”
The social engineering exercise ultimately paved the way for a malicious file containing at least one zero day in a popular software package. The vulnerability is currently being fixed.
The payload, for its part, performs a number of anti-virtual machine (VM) checks and transmits the collected information, along with a screenshot, to a server controlled by an attacker.
A search on X shows that the now-suspended account has been active since at least October 2022, with the actor release proof-of-concept (PoC) exploit code for high gravity privilege escalation vulnerabilities in Windows kernel such as CVE-2021-34514 And CVE-2022-21881.
This is not the first time that North Korean actors have exploited collaboration-themed lures to infect their victims. In July 2023, GitHub disclosed details of an NPM campaign in which adversaries identified as TraderTraitor (aka Jade Sleet) used fake personas to target the cybersecurity industry, among others.
“After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its content,” the Microsoft-owned company said at the time.
Google TAG said it also found a standalone Windows tool named “GetSymbol” developed by the attackers and hosted on GitHub as a potential secondary infection vector. It has been forked 23 times to date.
The rigged software, released on the code hosting service in September 2022 and updated several times before being removed, offers a way to “download” debug symbols Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineering.
But it also provides the ability to download and execute arbitrary code from a command and control (C2) domain.
The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) revealed that the North Korean state actor known as ScarCruft exploits LNK file lures in phishing emails to provide a backdoor capable of harvesting sensitive data and executing malicious instructions.
It also results new discoveries from Microsoft that “several North Korean actors have recently targeted the Russian government and defense industry – likely for intelligence collection – while simultaneously providing material support to Russia in its war against Ukraine.”
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
The targeting of Russian defense companies was also highlighted by SentinelOne last month, which revealed that Lazarus Group (aka Diamond Sleet or Labyrinth Chollima) and ScarCruft (aka Ricochet Chollima or Ruby Sleet) breached NPO Mashinostroyeniya, a defense company Moscow missile engineering, to facilitate intelligence gathering.
The two actors were also observed infiltrating weapons manufacturing companies based in Germany and Israel from November 2022 to January 2023, not to mention compromising an aerospace research institute in Russia as well as defense companies in Brazil, Czechia, Finland, Italy, Norway and Israel. Poland since the beginning of the year.
“This suggests that the North Korean government is simultaneously assigning multiple groups of threat actors to fulfill high-priority collection requirements to improve the country’s military capabilities,” the tech giant said.
It’s simply not cyberespionage. Earlier this week, the U.S. Federal Bureau of Investigation (FBI) implied the Lazarus group as being behind the theft of $41 million in virtual currency from Stake.com, an online casino and betting platform.
It indicated that stolen funds associated with Stake.com’s Ethereum, Binance Smart Chain (BSC), and Polygon networks were moved to 33 different wallets around September 4, 2023.
“North Korean cyber threat actors conduct cyber operations aimed at (1) gathering intelligence on the activities of perceived state adversaries: South Korea, the United States, and Japan, (2) gathering information on the military capabilities of other countries to improve their own. , and (3) raise cryptocurrency funds for the state,” Microsoft said.
