North korean hackers target cybersecurity community with zero-day attacks
Sophisticated tactics deployed by North Korean hackers shake cybersecurity community
North Korean hackers are targeting the cybersecurity community, using social engineering tactics to establish trust with their victims. They exploit zero-day vulnerabilities in popular software, evade detection through anti-VM checks, and gather information from victims' systems. This is not their first collaboration-themed attack, as they have previously used fake personas on GitHub to lure victims. Multiple North Korean threat actors have been targeting the Russian government and defense industry, as well as supporting Russia in its conflict with Ukraine, according to Microsoft.
Threat actors associated with North Korea have been observed engaging in a series of targeted attacks against the cybersecurity community. These attacks leverage a zero-day vulnerability in undisclosed software, serving as the entry point for infiltrating the victims' systems.
Building trust through social engineering
Google's Threat Analysis Group (TAG) recently uncovered the tactics employed by these threat actors. They create fake accounts on social media platforms such as X and Mastodon to establish relationships with potential targets. Over an extended period of time, the attackers engage in conversation, looking to collaborate with security researchers on mutually interesting topics. After initial contact on social media, the conversation usually moves to encrypted messaging apps like Signal, WhatsApp, or Wire.
Exploiting a zero-day vulnerability and anti-VM checks
Once trust is established, the adversary proceeds to deliver a malicious file containing at least one zero-day vulnerability within a widely used software package. The vulnerability is currently being addressed by the respective vendor. Upon execution, the payload performs various anti-virtual machine checks to evade detection. It gathers relevant information, including a screenshot, which is then transmitted back to a server controlled by the attacker.
History of collaboration-themed lures and additional attack methods
This type of collaboration-themed baiting technique is not new for North Korean threat actors. In a similar campaignuncovered in July 2023 by GitHub, fake personas were used to lure victims, including those in the cybersecurity sector, into collaborating on GitHub repositories. In the recent findings by Google, it was also discovered that the attackers developed a standalone Windows tool called "GetSymbol," hosted on GitHub. The tool was used as a potential secondary infection vector, allowing for the download and execution of arbitrary code from a command-and-control domain. It is worth noting that multiple North Korean threat actors have been targeting the Russian government and defense industry, alongside providing support to Russia in its conflict with Ukraine, according to recent findings by Microsoft.
Follow us on WhatsApp for more pills like this09/08/2023 09:21
Marco Verro