Google Reveals That North Korean Hackers Are Targeting Security Researchers By Creating Fake Persona On Social Networks

As per Google’s recent Threat Analysis Group (TAG), a hacking group backed by the North Korean government has targeted cybersecurity researchers by leveraging their curiosity for the development of exploits and research for vulnerabilities. Google’s Threat Analysis Group is a security team of Google focused on hunting APT (Advanced Persistent Threat) groups. These bad actors were noticed building fake profiles on Twitter and fake blogs on currently available vulnerabilities, just to mimic a cybersecurity researcher.

Google in its blog post, wrote, “in order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.”

However, the accounts created by threat actors were fake but were still convincing. Threat actors utilized their other fake accounts from platforms like Twitter, LinkedIn, Telegram, Discord, Keybase, and email, to communicate or reach out to their selected cybersecurity researchers.

Google said, “These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email.” The attackers/hackers also utilized several fake Twitter accounts and posts from the non-famous, genuine cybersecurity researchers, in order to gain trustworthiness.

Adam Weidemann, who is a security researcher in Google’s Threat Analysis Group, explained that “the actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 (command-and-control) domains.”

The approach was a social engineering method to specifically target cybersecurity researchers using Windows 10, fully patched, most recent version of Google Chrome. Google also explains the spreading of infection via visiting blogs as, “in addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.”

Google explained that they are unaware of the vulnerability or exploit that has been leveraged, togetherly in Windows 10 with the latest version of Chrome, to infect devices, and “we welcome any information others might have.”

The reason behind aiming at the cybersecurity researchers could be because it may get them the data of vulnerabilities and exploits that the targeted security researchers must have discovered earlier and later utilized those vulnerabilities for their own malicious possible attacks.

It is quite clear that malicious hackers/attackers are not leaving anyone behind, they are targeting everyone from security agencies to cybersecurity researchers, clothing stores to exclusive hotels, etc. Keeping this in mind it is necessary for all of us to take as many security measures as possible.

Google, on its blog page, has provided a list of fake malicious accounts and the link to infection spreading blog and has recommended that anyone who may have contacted any of those accounts or visited the blog, should search their devices for the listed IOCs. You can visit the blog/list here.

If you like this article, follow us on Twitter, Facebook, Instagram, and LinkedIn.