Dmitry Nogaev | Getty Images
North Korea-backed hackers are once again targeting security researchers with a zero-day exploit and related malware in an attempt to infiltrate computers used to perform sensitive investigations involving cybersecurity.
The presently unfixed zero-day—meaning a vulnerability that’s known to attackers before the hardware or software vendor has a security patch available—resides in a popular software package used by the targeted researchers, Google researchers said Thursday. They declined to identify the software or provide details about the vulnerability until the vendor, which they privately notified, releases a patch. The vulnerability was exploited using a malicious file the hackers sent the researchers after first spending weeks establishing a working relationship.
Malware used in the campaign closely matches code used in a previous campaign that was definitively tied to hackers backed by the North Korean government, Clement Lecigne and Maddie Stone, both researchers in Google’s Threat Analysis Group, said. That campaign first came to public awareness in January 2021 in posts from the same Google research group and, a few days later, Microsoft.
Two months later, Google was back to report that the same threat actor, instead of laying low after being outed, had returned, this time targeting researchers with a zero-day exploiting a vulnerability in Internet Explorer. Microsoft, which tracks the hacking group as Zinc, patched the vulnerability the same month.
In March, researchers from security firm Mandiant said that they, too, had detected North Korea-backed hackers, tracked as UNC2970, targeting researchers. Mandiant researchers said they first observed UNC2970 campaign in June 2022.
The playbook in 2021 is the same as the one Google has observed in recent weeks. The hackers pose as security researchers and post security-related content on blogs or social media. They patiently develop relationships with real researchers and later take their discussions to private forums. Eventually, the fake researchers share Trojanized exploits or analysis tools with the researchers in an attempt to have them run it on their personal machines.
Advertisement
In Thursday’s post, the Google Threat Analysis Group researchers wrote:
Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.
Enlarge / Actor-controlled Twitter profile
Google TAG
Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
The post said that in addition to exploiting the current zero-day, the same hacking group appears to be sharing software that also targets researchers. The tool, first posted to GitHub in September 2022 and removed an hour before this post went live, provided a useful means to debug or analyze software
“On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research,” the researchers wrote. “But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain.”
The researchers urged anyone who has run the software to “ensure your system is in a known clean state, likely requiring a reinstall of the operating system.” The post includes file hashes, IP addresses, and other data people can use to indicate if they’ve been targeted.