Google has discovered a months-long spearphishing campaign targeting security researchers carried by hackers tied to the North Korean government.
In a blog released late in the night on Jan. 25, Andrew Weidemann from Google’s Threat Analysis Group wrote that the campaign spanned multiple companies and researchers who focus on discovering new software vulnerabilities. To do this, the actors first attempted to pose as members of the community, setting up their own research blog as a front, in some cases recycling the work of other researchers and, in at least one case, faking a successful exploit. They also created multiple personas and sockpuppet accounts on social media sites like Twitter, LinkedIn, Telegram, Keybase and Discord, where they shared posts, promoted the work of others and interacted with researchers over direct messages.
Weidemann said all that work was effort to socially engineer and “build credibility” among targeted researchers, who they later attempted to compromise in various ways. In some cases they approached the victim over Twitter with offers to collaborate on newly discovered exploits over Visual Studio Project, a software tool used to develop and review software code. That project contained a dynamic link library with custom malware designed to ping a malicious command and control server operated by the attackers. In other cases, researchers who visited their blog clicked on a malicious link that installed malware and used an in-memory backdoor to beacon back to the group’s C2 infrastructure. Notably, Google says the victims were running fully patched and updated versions of Windows 10 and Chrome at the time of their compromise.
Google provided a list of known social media accounts tied to the campaign as well as indicators of compromise, warning that some researchers could be compromised if they interacted with any of the false personas.
“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided [in the blog],” Weidemann wrote. “To date, we have only seen these actors targeting Windows systems as a part of this campaign.”
The blog does not mention specific researchers who were targeted or compromised, but several individuals have come forward since the news broke to claim they had either interacted with the malicious accounts or had been compromised.
Warren Mercer, a threat researcher at Cisco Talos, said multiple researchers at their company had been targeted by the group, though none of the conversations progressed enough to exchange malicious files.
“It is worth noting that the attacker has a good grasp of the English language and made contact within the normal working hours for the researcher based on their time zone, denoting some care regarding the quality of the lure,” Mercer wrote in a Jan. 26 blog reacting to the news.
Richard Johnson of Fuzzing/IO, confirmed over Twitter that he had been sent a Windows kernel proof of concept by the same account that was “real and complex to trigger.” According to Johnson’s thread, he was approached in a similar manner over Twitter DMs, with the actor suggesting they move to Telegram before sending over an encrypted version of the exploit.
In a subsequent update, Johnson confirmed he had been compromised and that simply visiting the blog was sufficient to be infected with the Chrome exploit.
“The real compromise was the chrome 0day on the blog - the lure was the PGP key, which was needed for target to decrypt one of a few offered low value browser or kernel PoC for collab,” he wrote. “The shared project was Trojaned as a backup plan.”
Another security researcher, Dave Aitel, disclosed that he had been contacted by one of the Twitter accounts, @Z0x55g. In screenshots of the exchange posted by Aitel, the individual claimed he had found a Windows kernel zero-day vulnerability and was “looking for someone to research together.”
Aitel rebuffed the offer with an apparently sarcastic response that “I am not worthy. But I appreciate you thinking of me. I am not at your level.”
Google’s blog does not delve into how they were able to attribute the campaign to North Korean actors. Intezer, a cybersecurity company that maps the “genetic profile” of software, third party applications and operating systems in cloud environments, said some of the code in the malware samples shared by Google overlap with FallChill, a malware strain used by Lazarus Group, a catchall term for multiple APT groups and campaigns tied to the North Korean government.
“The undetected files that Google reported on share genes with previously known samples by Lazarus Group, meaning we have technical evidence that the code that was used in this attack was used in the past by Lazarus Group and only Lazarus Group,” said Ari Eitan, vice president of research at Intezer in an interview with SC Media.
Eitan said the malware shared similarities with a remote administration Trojan called Manuscript, which would have given an attacker full control over a victim’s computer. While it’s not clear exactly what the group was after, targeting security researchers who specifically work on software vulnerabilities could steal non-public research on undisclosed exploits or provide insight into what those researchers knew about North Korean hacking operations and how they’re defended.
“My bet is that it’s both, like within this specific victim you get both what they know about you as an attacker, and also you can steal the work of the vulnerability researchers and use that…to attack other victims,” said Eitan.
This is a developing story.