Arpad Nagy-Bagoly - stock.adobe.
A nation-state threat actor backed by the North Korean government has begun a new phase of a nearly two-year-old campaign targeting legitimate cyber security researchers, leveraging an as-yet undisclosed zero-day to gain access to their victims.
The zero-day in question was uncovered by Google’s Threat Analysis Group (TAG). It has been reported to the supplier whose product it affects and is in the process of being patched. For operational security reasons, little more can be said about it.
However, TAG researchers Clement Lecigne and Maddie Stone said they were revealing some details of their work now to safeguard the community.
“While our analysis of this campaign continues, we are providing an early notification of our initial findings to warn the security research community. We hope this…will remind security researchers that they could be targets of government-backed attackers and to stay vigilant of security practices,” wrote Lecigne and Stone.
“We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.”
The group’s activity was first highlighted in January 2021, although TAG had been tracking it for some months prior to that. The threat actor spent considerable time and effort building credibility as a supposed security researcher themselves, establishing a research blog and using sock puppet profiles on Twitter (now X) to interact with their targets and amplify their reach.
They also went to the trouble of populating their blog with content detailing new publicly disclosed threats and vulnerabilities, and even solicited guest posts from their unwitting targets.
The group’s latest campaign is using X to build a social rapport with its targets, in one case carrying on a months-long conversation in which they attempted to collaborate with one researcher on topics of interest.
However, the threat actor has now used an account established on the thriving Infosec.Exchange Mastodon instance for security pros, which currently has more than 18,000 members, many of them highly prominent researchers and leaders at high-profile cyber organisations.
Having made contact via social media, they move their chats to encrypted messaging apps such as Signal or WhatsApp to develop the relationship further. Once this is done, the threat actor sends a malicious file containing the zero-day in a “popular software package”.
Exploitation of this zero-day results in the collection and exfiltration of information, including screenshots, to the threat actor’s command-and-control domain. The shellcode in the exploit is constructed similarly to that used in other North Korean exploits, Lecigne and Stone noted.
Get rid of GetSymbol
But the new campaign does not end there. The TAG team has found that the threat actor has now developed a standalone Windows tool called GetSymbol used to download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for the purpose of reverse engineering.
The source code for the GetSymbol utility, which could have legitimate uses for a researcher, was published to GitHub in late 2022 and has been updated since. However, it also has the ability to download and execute arbitrary code from the threat actor’s domain.
“If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system,” warned Lecigne and Stone.
Commenting on the TAG team findings, Mayuresh Dani, threat research manager at Qualys, said targeting threat researchers was a growing trend, and other North Korean threat actors including the notorious Lazarus Group have been known to do similar.
Dani explained why security researchers might present a target too tempting for a threat actor to pass up. “[They] use systems that are normally less protected, since they need lax security controls to perform day-to-day activities such as vulnerability research, reverse engineering, and malware analysis,” he said.
“Even though these systems are not attached to a corporate environment, a foothold on one of these machines or network segment would allow the threat attackers to try and move laterally to other enterprise environments. This also could allow them to circumvent normal security mechanisms, as well as keeping a watch on the security research activities in that particular organisation.
“The advice for security researchers is to vet any tool before using it for their day to day tasks. When the source code of such tools is available, it should also be checked like any other software. If no protection is applied on these systems, at least security logging should be enabled. This can enable organisations to detect and respond to such threats.”
Read more about North Korean cyber activity
- Mandiant researchers attribute the supply chain attack to a North Korean threat actor that abused JumpCloud's commands framework to gain access to a downstream customer.
- Mandiant has attributed an ongoing campaign of malicious activity to a newly designated APT that is engaged in the acquisition and laundering of cryptocurrency to fund the regime’s espionage activities.
- WithSecure researchers linked a campaign of cyber attacks targeting medical research and energy firms to North Korea’s infamous Lazarus APT after a group member accidentally screwed up.