North Korean hackers target security researchers with zero-day exploit
North Korean actors are once again attempting to compromise security researchers’ machines using a zero-day exploit.
The warning comes from Google security researchers Clement Lecigne and Maddie Stone, who detailed the latest campaign mounted by government-backed attackers.
Security researchers targeted by Zero Day
The attackers first contacted the researchers via social networks (e.g. X, formerly Twitter or Mastodon) under the pretext of collaborating on security research. After moving the conversation to end-to-end encrypted instant messaging apps (Signal, WhatsApp or Wire) and establishing trust, they delivered a malicious file containing a zero-day exploit.
Profile X controlled by the actor. (Source: Google)
“If successfully exploited, the shellcode performs a series of anti-virtual machine checks and then returns the collected information, along with a screenshot, to a command and control domain controlled by the attacker,” Lecigne and Stone said.
The attackers also tried another trick: They directed researchers to a Windows tool (GetSymbol) that downloads debug symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineering, but is also capable of downloading and execute arbitrary code from an attacker. controlled domain.
“If you have downloaded or run this tool, (Google) TAG recommends taking precautions to ensure that your system is in a known clean state, likely requiring a reinstallation of the operating system,” the researchers advised.
Google has not yet revealed which software is affected by zero-day exploitation.
“The vulnerability has been reported to the affected vendor and is being fixed. Once fixed, we will release additional technical details and analysis of the exploits involved in accordance with our disclosure policies,” they said. added.
A new campaign
A similar campaign was revealed in January 2021, when malicious actors, apparently backed by the North Korean government, created accounts on Twitter, LinkedIn, Keybase and Telegram to directly contact security researchers. (Microsoft also detailed this campaign.)
After establishing trust, they shared a link, asking researchers to verify the content. This would result in the installation of a malicious service and a backdoor reporting a threat actor’s C2 server.
