Google has discovered a months-long spearphishing campaign targeting security researchers carried by hackers tied to the North Korean government.
In a blog released late in the night on Jan. 25, Andrew Weidemann from Google’s Threat Analysis Group wrote that the campaign spanned multiple companies and researchers who focus on discovering new software vulnerabilities. To do this, the actors first attempted to pose as members of the community, setting up their own research blog as a front, in some cases recycling the work of other researchers and, in at least one case, faking a successful exploit. They also created multiple personas and sockpuppet accounts on social media sites like Twitter, LinkedIn, Telegram, Keybase and Discord, where they shared posts, promoted the work of others and interacted with researchers over direct messages.
Weidemann said all that work was effort to socially engineer and “build credibility” among targeted researchers, who they later attempted to compromise in various ways. In some cases they approached the victim over Twitter with offers to collaborate on newly discovered exploits over Visual Studio Project, a software tool used to develop and review software code. That project contained a dynamic link library with custom malware designed to ping a malicious command and control server operated by the attackers. In other cases, researchers who visited their blog clicked on a malicious link that installed malware and used an in-memory backdoor to beacon back to the group’s C2 infrastructure. Notably, Google says the victims were running fully patched and updated versions of Windows 10 and Chrome at the time of their compromise.
Google provided a list of known social media accounts tied to the campaign as well as indicators of compromise, warning ..