North Korean cybercriminals exploit zero-day vulnerability to target cybersecurity researchers

Forging trust on social media platforms

North Korean cybercriminals exploit zero-day vulnerability to target cybersecurity researchersNorth Korean hackers target cybersecurity researchers' computers

In recent weeks, North Korean threat actors have intensified their attacks on the cybersecurity industry, making use of a zero-day vulnerability in unreleased software to hack researchers' computers. This bold campaign was discovered by Google's Threat Analysis Group (TAG), which revealed a multi-pronged strategy that included social engineering techniques and the distribution of malware payloads.

By setting up phony identities on social networking sites like X (previously Twitter) and Mastodon, the attackers initially make contact. They go to tremendous lengths to win over potential targets, frequently holding in-depth discussions and attempting to work together on projects of shared interest. The communication switches to encrypted messaging services like Signal, WhatsApp, or Wire once trust has been built.

The distribution of a malicious file containing at least one zero-day vulnerability within a widely popular software product is made possible by this sophisticated social engineering experiment. Fortunately, efforts are underway to address and patch this vulnerability.

The malicious payload and its tactics

Following a successful intrusion, the malicious payload runs a number of anti-virtual machine (VM) tests to make sure the target system is legitimate. The information is then covertly gathered, including screenshots, before being sent to a server under the control of the attackers. The intricacy of the payload points to a well-resourced and knowledgeable enemy.

A review of X reveals that the now-suspended account associated with this campaign has been active since at least October 2022. Proof-of-concept (PoC) exploit code for critical privilege escalation flaws in the Windows Kernel, such as CVE-2021-34514[1] and CVE-2022-21881,[2] has even been made available by the threat actor.

A familiar tactic for North Korean threat actors

Threat actors operating out of North Korea have already used collaboration-themed lures to trick victims. In July 2023, GitHub revealed information[3] about a campaign in which adversaries identified as TraderTraitor (also known as Jade Sleet) used fictitious personas to attack several industries, including the cybersecurity industry. These attackers fooled targets into executing malicious malware after persuading them to cooperate on GitHub repositories.

A standalone Windows program called “GetSymbol,” created by the attackers and available on GitHub, was also discovered by Google TAG. It was reported that this program, which was first released in September 2022 and repeatedly updated before being removed, offered debugging symbols from significant technological businesses. As an extra infection vector, it also offered the ability to download and run arbitrary code from a command-and-control (C2) domain.

Expanding threat landscape

This campaign's disclosure comes at the same time as those from the AhnLab Security Emergency Response Center (ASEC),[4] which exposed North Korean nation-state actors using LNK file lures in phishing emails to deliver a backdoor capable of gathering sensitive data and carrying out malicious instructions.

Additionally, according to Microsoft, a number of North Korean threat actors have recently targeted the Russian government and defense sector, probably in order to gather intelligence and support Russia in its confrontation with Ukraine. These acts highlight the broad spectrum of goals that North Korean cyber threat actors pursue, such as gathering intelligence, enhancing military prowess, and obtaining bitcoin revenue for the state.

The Lazarus Group, a notorious North Korean hacker gang, is also allegedly responsible for the loss of $41 million in virtual money from Stake.com, an online casino and betting site, according to new FBI claims. This incident demonstrates the group's diverse strategy, which includes cyber activities intended to gather intelligence and make money.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare