North Korean threat actors have launched a new campaign targeting security researchers, using a zero-day exploit to compromise their machines. Google’s security researchers, Clement Lecigne and Maddie Stone, have issued a warning about this latest attack.
The attackers began their operation by contacting the researchers through social media platforms like X (formerly Twitter) or Mastodon, under the guise of collaborating on security research. Once the conversation was established, they would then move to end-to-end encrypted instant messaging apps such as Signal, WhatsApp, or Wire. After gaining the trust of the researchers, the attackers would deliver a malicious file containing a zero-day exploit.
Upon successful exploitation, the shellcode implemented a series of anti-virtual machine checks before transmitting the collected information, along with a screenshot, to a command and control domain controlled by the attackers. Additionally, the attackers directed the researchers towards a Windows tool called GetSymbol, which downloads debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers. However, this tool also had the capability to download and execute arbitrary code from an attacker-controlled domain.
To mitigate the impact of this attack, Google’s TAG (Threat Analysis Group) advised researchers who had downloaded or run the malicious tool to ensure that their systems are in a known clean state, which might require a complete reinstallation of the operating system. However, Google has not yet disclosed the specific software affected by the zero-day exploit.
In their official statement, Lecigne and Stone stated that they had reported the vulnerability to the affected vendor, and that it was in the process of being patched. Once the patch is released, Google will share additional technical details and analysis of the exploits involved, in accordance with their disclosure policies.
This is not the first time that North Korean threat actors have targeted security researchers. A similar campaign was revealed in January 2021, when these actors created accounts on various platforms, including Twitter, LinkedIn, Keybase, and Telegram, to directly contact security researchers. Microsoft also provided details about this campaign, known as Zinc attacks, in a blog post.
In the previous campaign, the attackers would establish trust with the researchers and then share a link, asking them to check the content. Clicking on the link would result in the installation of a malicious service and a backdoor beaconing to a command and control server operated by the threat actors.
These targeted attacks on security researchers highlight the importance of maintaining strong cybersecurity practices, even within the research community. It is crucial for researchers to exercise caution when engaging with unknown individuals, especially on social media platforms, and to verify the authenticity of any files or links shared with them.
As the cybersecurity landscape continues to evolve, it is essential for organizations and individuals to stay vigilant and up-to-date with the latest threats and vulnerabilities. Collaborative efforts between security researchers, vendors, and governments are vital in tackling these sophisticated cyber attacks and safeguarding against future threats.