North Korean hackers are targeting security researchers with malware, 0-days

[mood]

North Korean hackers are targeting security researchers with malware, 0-days

 

 

A North Korean government-backed hacking group targets security researchers who focus on vulnerability and exploit development via social networks, disclosed Google tonight.

 

According to a report released tonight by Google's Threat Analysis Group, a North Korean government-backed hacking group uses social networks to target security researchers and infect their computers with a custom backdoor malware.

 

The threat actors create fake Twitter profiles and blogs to build a fake persona as a security researcher. These accounts are then used to contact targeted security researchers via social media, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email.

 

Social media accounts used in this campaign

Source: Google

 

As part of this fake persona building, the threat actors write articles analyzing existing vulnerabilities or create videos showing off PoCs they allegedly developed.

 

In one case seen by Google, the threat actors were called out for a fake PoC video and began to create Twitter sock puppet accounts to refute the claims that the PoC is fake.

"Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video," Google explained in their report.

 

After establishing contact with a security researcher, the threat actors would ask if they would like to collaborate on vulnerability research or exploit development. As part of this collaboration, the threat actors would send a Visual Studio project to the researcher that contained their PoC exploit, as well as a malicious hidden DLL named 'vcxproj.suo.'

 

When the researcher tried to build the PoC exploit, a pre-build event would execute a PowerShell command that checks if the user is running 64-bit versions of Windows 10, Windows Server 2019, and Windows Server 2016.

 

If the checks pass, the PowerShell command will execute the malicious DLL via rundll32.exe.

 

PowerShell pre-build event

Source: Google

 

Google states that this DLL is a custom backdoor injected into memory and will call back to a command and control server for commands to execute.

 

Google states that some researchers were also infected simply by visiting an exploit writeup at the threat actor's blog.br0vvnn[.]io site.  These researchers used fully patched Windows 10 devices with the latest Google Chrome, indicating that the threat actors were using zero-day vulnerabilities to infect their visitors.

 

While Google has not stated the ultimate goal for these attacks, it was likely to steal undisclosed security vulnerabilities and exploits based on the targeted users.

 

Google states that the Twitter accounts used in this hacking campaign are br0vvnn, BrownSec3Labs, dev0exp, djokovic808, henya290 , james0x40, m5t0r, mvp4p3r, tjrim91, and z0x55g.

 

A full list of IOCs can be found at the end of Google's report.

Security researchers reveal they were targeted

Since Google published their story, security researchers who were targeted in this campaign have started to share their experiences.

 

Not gonna lie, the fact I was targetted is sweet sweet validation of my skillz  https://t.co/1WuIQ7we4R

— Aliz (@AlizTheHax0r) January 26, 2021

 

Keep your wits about you. I can confirm I was targeted by “z0x55g” via Twitter DMs asking about browser and Windows kernel 0day vulnerability research. I guess it was because I had commented about the Defender RCE and used to have #0day in my bio. But yikes! Stay vigilant https://t.co/W4qcloztLF

— Will | Bushido (@BushidoToken) January 26, 2021

 

At least two of mentioned accounts contacted me via DM. Always happy to help if I can, but their attempt was too shady to interact: https://t.co/yqJNc6CGML pic.twitter.com/3NCh912lWu

 

— Hossein Lotfi (@hosselot) January 26, 2021

 

Google offers the following advice for those concerned this hacking group is targeting them.

"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research," advises Google's Threat Analysis Group.

 

 

Source: North Korean hackers are targeting security researchers with malware, 0-days

[Karlston]

Microsoft: DPRK hackers 'likely' hit researchers with Chrome exploit

 

Today, Microsoft disclosed that they have also been monitoring the targeted attacks against vulnerability researchers for months and have attributed the attacks to a DPRK group named 'Zinc.'

 

Earlier this week, Google disclosed that a North Korean government-backed hacking group has been using social networks to target security researchers.

 

As part of the attacks, the threat actors would ask researchers to collaborate on vulnerability research and then attempt to infect their computers with a custom backdoor malware.

Microsoft tracks hacking group as ZINC

In a new report, Microsoft states that they too have been tracking this threat actor, who they track as 'ZINC,' for the past couple of months as the hackers target pen testers, security researchers, and employees at tech and security companies. Other researchers track this hacking group under the well-known name 'Lazarus.'

 

"In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress. Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies."

 

"Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware patterns, and account affiliations," the Microsoft Threat Intelligence Center team disclosed in a new report.

 

Based on Microsoft's research, the ZINC actors began operating in mid-2020 by building online Twitter security researcher personas by retweeting security content and posting about vulnerability research. 

 

The threat actors' would then amplify these tweets using other sock-puppet Twitter accounts under their control. This tactic allowed the group to build a reputation in the security vulnerability research space and build a following that included "prominent security researchers."

Twitter activity by ZINC threat actors
Source: Microsoft

As part of their attack, the ZINC actors would contact researchers to collaborate on vulnerability and exploit research. As previously reported by Google, for those researchers who agreed, ZINC would send a Visual Studio project containing a malicious DLL that would be executed when researchers compiled the project.

 

This DLL would lead to installing a backdoor malware that would allow the attackers to retrieve information and execute commands on the computer.

 

"Over this C2 channel, the threat actors can execute remote commands to enumerate files/directories and running processes, and to collect/upload information about the target device, including IP address, Computer Name, and NetBIOS.  Furthermore, we observed some hands-on-keyboard action to enumerate all files/directories on the target disk, create screenshots, and deploy additional modules," explains Microsoft's report.

Other attack methods were observed by Microsoft

In addition to the malicious Visual Studio project, Microsoft saw ZINC attacking security professionals using other methods.

 

As already explained in Google's reports, some people were infected simply by visiting the threat actors' web site on fully patched systems and the latest Google Chrome. Google was unsure how the visitors were compromised but suspected the use of zero-day vulnerabilities.

 

Microsoft states that the threat actors shared a link to a blog post on their web site that contained an exploit kit using "0-day or patch gap exploits."

 

"A blog post titled DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug, was shared by the actor on October 14, 2020 from Twitter. From October 19-21, 2020, some researchers, who hadn’t been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after.

 

"This suggests that a Chrome browser exploit chain was likely hosted on the blog, although we haven’t been able to prove this. Since some of the victim’s browsers were fully patched, it’s also suspected, but unproven, that the exploit chain used 0-day or patch gap exploits", Microsoft explained.

 

Other attacks methods used by ZINC included:

• Distributing blog posts as MHTML files that reached back to ZINC controlled domains that executed malicious javascript.
• Attempted to exploit the CVE-2017-16238 vulnerability in a vulnerable driver for the antivirus product called Vir.IT eXplorer. Microsoft states that these attempts failed.
• Deploying a Chrome password stealer.

Microsoft warns that you had visited the ZINC-owned blog (br0vvnn[.]io), you should immediately run a full antivirus scan or  use the IOCs in their report to check for infections.

 

If these IOCs are found on your machine, you should assume that the device has been fully compromised.

 

 

Microsoft: DPRK hackers 'likely' hit researchers with Chrome exploit