North Korean state attacks legitimate security researchers

An ongoing campaign targeting legitimate security researchers within the industry appears to be the work of a government-backed entity based in North Korea, according to a new report from Google’s Threat Analysis Group, which has been tracking the campaign for a few months.

The group members have spent time and effort building credibility as legitimate cyber security researchers themselves, setting up a research blog and using sock puppet Twitter profiles both to interact with their targets and amplify their own reach.

The research blog contains a number of write-ups and analyses of publicly disclosed vulnerabilities, such as might be seen on a legitimate security website, and even carries guest posts from unwitting security researchers.

The group has also posted a number of exploit proofs of concept – including a YouTube video that purported to show a successful exploit of the CVE-2021-1647 Windows Defender vulnerability, which was patched by Microsoft on 13 January. Needless to say, the video is fake and no working exploit was demonstrated.

Google’s Adam Weidemann explained how the group targets specific security researchers using a novel technique. “After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” he wrote.

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL [Dynamic Link Library] that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 [command and control] domains.”

Weidemann said that in addition to targeting its victims via social engineering, some researchers had been compromised after visiting their blog. In these cases, the victims followed a malicious Twitter link that gave the group access to their systems to install a malicious service, which enabled an in-memory backdoor to beacon to the C2 server.

The systems involved in this compromise were fully patched and running up-to-date versions of Microsoft Windows 10 and Google’s own Chrome browser.

Weidemann said that his team had been unable to confirm the precise mechanism of compromise used in these instances, but he would welcome any additional information, and noted that Chrome vulnerabilities, including in-the-wild exploits, carry reward payouts under a bug bounty programme.

Google’s team has published a list of known social media accounts and aliases used by the group to communicate with its victims, alongside a list of indicators of compromise, both of which can be reviewed here.

“If you are concerned that you are being targeted, we recommend that you compartmentalise your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” wrote Weidemann.