Google's Project Zero has an internal Threat Analysis Group (TAG) that works with law enforcement agencies and firms on identifying and countering government-backed hacking. In the latest, TAG has revealed its findings of an ongoing campaign that is targeting security researchers working on vulnerability research and development at different organizations.
The malicious actors, reportedly from North Korea, are targeting these people via a social engineering method and their modus operandi is as follows: The actors first establish a fake persona on the internet with multiple Twitter profiles linked to research blogs that would show them working on exploits, associating a sense of legitimacy to their profiles and field of work. To gain traction and credibility, these posts were retweeted by Twitter profiles that were also under their control.
|Twitter profiles operated by the malicious actors for gaining traction and credibility||An analysis of a publicly disclosed vulnerability by the malicious actors|
In one such case, on January 14, they tweeted a YouTube video of them exploiting the CVE-2021-1647 vulnerability in Windows Defender, which got recently patched. In the video, they spawned a command prompt shell, but many people under the original video commented that that exploit was fake and not working. To this, the malicious actors retweeted the original video claiming that it was not fake.
Once this fake persona was cemented, the actors then contacted their targets seeking collaboration on vulnerability research. Multiple platforms were used for reaching out to the targets, including Twitter, LinkedIn, Telegram, Discord, Keybase, and emails. Upon agreement, they would send a Visual Studio Project to the target, which would contain a source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL was custom malware that would immediately begin communicating with actor-controlled C2 domains, TAG reported. An example of the build event prompted by the source code is given below.
In addition, some targets were also compromised after visiting blog posts of the sort shown above. TAG researchers uncovered this when they followed a link to a blog that was hosted on blog.br0vvnn[.]io. Shortly thereafter, they reported that a malicious service was installed on their system and an in-memory backdoor had begun beaconing to an actor-owned command and control server. When exploited, the researchers were running the Google Chrome browser on a patched and fully updated copy of Windows 10. Unlike the Visual Studio example outlined above, the exact mechanism of this exploit is currently unknown, and TAG is welcoming information that others might have on it. They are also encouraging anyone who discovers this Chrome vulnerability to report that activity under the Chrome Vulnerability Reward Program. It seems that this exploit only affects systems running Windows so far.
As a part of its findings, TAG has disclosed a list of Twitter accounts, research blogs, LinkedIn accounts, Telegram links, Keybase links, hashes and C2 domains and URLs, and Host IOCs. The researchers recommend checking if you have been contacted by any of the aliases they have provided. If so, they suggest reviewing your system for the IOCs mentioned on the same list.
TAG hopes that these findings will remind those involved in security research to remain vigilant when engaging with individuals and personnel they have no previous interaction with as they could be targeted by government-backed hackers. For anyone concerned with being targeted, the researchers recommend compartmentalizing your research activities by using separate physical or virtual machines for web browsing, interacting with the research community, accepting files from third parties, and your own security research.