In an update, Google’s Threat Analysis Group (TAG) has issued a report on an ongoing campaign by North Korean threat actors that specifically targets security researchers. Dating back to January 2021, this campaign employs zero-day exploits to compromise the security of researchers engaged in vulnerability research and development.
Over the past two and a half years, TAG has diligently monitored and disrupted multiple campaigns orchestrated by these North Korean actors, revealing zero-day vulnerabilities and safeguarding online users. Recently, TAG identified a new campaign that bears similarities to the previous one. Alarmingly, they have confirmed the active exploitation of at least one zero-day vulnerability in the past few weeks, prompting them to take immediate action.
To mitigate the risks, TAG has reported this vulnerability to the affected vendor, and efforts are underway to patch it. While their analysis of this campaign remains ongoing, TAG has decided to provide early notification to the security research community. This serves as a stark reminder that security researchers can become targets of government-backed attackers, underscoring the importance of maintaining vigilance in security practices.
The tactics employed by these North Korean threat actors resemble those used in the prior campaign. They initiate contact with potential targets through social media platforms and gradually build trust. Once a rapport is established, they transition to encrypted messaging apps like Signal, WhatsApp, or Wire. Progressively, the threat actors send malicious files containing at least one zero-day exploit hidden within popular software packages.
Upon successful exploitation, the malicious code executes a series of anti-virtual machine checks and transmits collected data, such as screenshots, to a command and control domain controlled by the attackers. The shellcode used in these exploits shows similarities to previous North Korean exploits.
Besides zero-day exploits, the threat actors have also developed a standalone Windows tool designed to download debugging symbols from central symbol servers, including those of Microsoft, Google, Mozilla, and Citrix. However, this tool carries the risk of downloading and executing arbitrary code from attacker-controlled domains, posing a significant threat to those who have used it.
TAG strongly advises individuals who have downloaded or run this tool to take precautions, including ensuring their systems are clean, which may necessitate a complete OS reinstallation. As part of its commitment to combating these severe threats, TAG uses its research findings to enhance the safety and security of Google’s products. They promptly add identified websites and domains to Safe Browsing to protect users from further exploitation.
Additionally, TAG notifies targeted Gmail and Workspace users of government-backed attacker alerts, encouraging potential targets to activate Enhanced Safe Browsing for Chrome and ensure their devices are up-to-date.
The discovery of this ongoing campaign serves as a reminder of the constant threats faced by security researchers and the need for proactive measures. By promptly alerting the security research community and taking steps to address the vulnerabilities, TAG demonstrates its dedication to protecting users from these types of attacks.
It is crucial for individuals and organizations to remain informed about the latest developments in cyber security, such as this North Korean campaign. By staying updated on the latest news and adopting recommended security practices, users can protect themselves from potential threats and contribute to a safer online environment.