Towards the end of January 2021, Google's Threat Analysis Group revealed that a group of North Korean hackers is targeting security researchers online, specifically seeking out those working on vulnerabilities and exploits.
Now, Microsoft has confirmed that it was also tracking the DPRK hacking team, revealed in a recently published report.
Microsoft Tracking North Korean Hacking Group
In a report posted on the Microsoft Security blog, the Microsoft Threat Intelligence Team details its knowledge of the DPRK-linked hacking group. Microsoft tracks the hacking group as "ZINC," while other security researchers are opting for the more well-known name of "Lazarus."
Both the Google and Microsoft reports explain that the ongoing campaign uses social media to begin normal conversations with security researchers before sending them files containing a backdoor.
The hacking team runs several Twitter accounts (along with LinkedIn, Telegram, Keybase, Discord, and other platforms), which have been slowly posting legitimate security news, building a reputation as a trusted source. After a period, the actor-controlled accounts would reach out to security researchers, asking them specific questions about their research.
If the security researcher responded, the hacking group would attempt to move the conversation onto a different platform, such as Discord or emails.
Once the new communication method is established, the threat-actor would send a compromised Visual Studio project hoping the security researcher would run the code without analyzing the contents.
The North Korean hacking team had gone to great lengths to disguise the malicious file within the Visual Studio project, swapping out a standard database file for a malicious DLL, along with other obfuscation methods.
According to the Google report on the campaign, the malicious backdoor isn't the only attack method.
In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors' blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher's system and an in-memory backdoor would begin beaconing to an actor-owned command and control server.
Microsoft believes that "a Chrome browser exploit was likely hosted on the blog," although this is not yet verified by either research team. Adding to this, both Microsoft and Google believe a zero-day exploit was used to complete this attack vector.
Targeting Security Researchers
The immediate threat of this attack is to security researchers. The campaign has specifically targeted security researchers involved in threat detection and vulnerability research.
Not gonna lie, the fact I was targetted is sweet sweet validation of my skillz ;) https://t.co/1WuIQ7we4R
— Aliz (@AlizTheHax0r) January 26, 2021
As we often see with highly targeted attacks of this nature, the threat to the general public remains low. However, keeping your browser and antivirus programs up to date is always a good idea, as is not clicking and following random links on social media.
