North Korean hackers have launched a revenge campaign targeting cybersecurity researchers for keeping tabs on them. Like scammers on Tinder, they appear friendly and collaborative – only to nuke researchers' systems with malware later.
Google’s Threat Analysis Group (TAG) shed new light on government-backed North Korean threat actors.
At the beginning of the year, actors were caught using zero-day exploits to target security researchers working on vulnerability research and development. Over the past several weeks, at least one new actively exploited zero-day attack has come to light, though the glitch it abused is being patched.
However, Google’s team is warning that North Korean cyber-crooks can also be smooth-tongued when they want to be.
“North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” Google writes in its blog.
Threat actors established a research blog and multiple X profiles to interact with potential targets. To build credibility, they posted links to their blog, videos of their claimed exploits, and retweeted posts from other accounts they control.
After the initial contact, the conversations between hackers and researchers moved to encrypted messaging apps, such as Signal, WhatsApp, or Wire. Any developed trust was an illusion.
“Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one zero-day in a popular software package,” Google warned.
After conducting several anti-virtual machine checks, malicious code started collecting and sending the information back to the attacker. The shellcode used in this exploit had similarities with previous North Korean exploits.
Other exploitation tactics also reflect the complicated relationship between researchers and North Korean hackers.
Crooks developed a seemingly useful tool for researchers – a standalone Windows application to “download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.” The source code for this tool was made public on Github, first published on September 30th, 2022, with several updates released later.
However, the stated goal differs from the intended one.
“On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research. But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain,” researchers said.
They recommend anyone running this tool to take precautions and ensure the system is in a known clean state. The operating system likely requires a fresh reinstall.
Cybernews has an explainer on how to deal with malware on Windows that can be found here: “nuke and pave” often is the only way.
Google’s TAG hopes to raise the understanding of tactics and techniques used by cybercriminals to enhance threat-hunting capabilities and lead to stronger user protections across the industry.
Findings are used to warn, provide early notification, and develop patches and security practices. Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation.
More from Cybernews:
Subscribe to our newsletter