A cyber-espionage campaign from North Korea has been targeting security researchers engaged in vulnerability research and development.
Google’s Threat Analysis Group (TAG) has issued an early warning to the security research community. The objective is to remind security researchers of the ever-present risk of government-backed attackers and encourage them to remain vigilant in their security practices.
TAG has earlier disclosed another campaign back in 2021 by North Korea-backed actors employing zero-day exploits to compromise security researchers. This latest campaign resembles the previous operation and includes the exploitation of at least one zero-day vulnerability that has been reported to the vendor and is currently undergoing patching.
The threat actor’s modus operandi involves using social media platforms, such as X, to establish connections and build rapport with their targets, often engaging in months-long conversations to gain the trust of security researchers.
Once a relationship is established, the threat actors transition to encrypted messaging apps like Signal, WhatsApp, or Wire. Subsequently, the attackers deliver a malicious file containing at least one zero-day vulnerability within a widely used software package.
Upon successful exploitation, the malicious shellcode conducts various anti-virtual machine checks before transmitting harvested information, including a screenshot, to an attacker-controlled command and control domain. The shellcode’s construction mirrors that of the previous North Korean exploits.
In a worrying twist, the North Korean threat actors have also developed a secondary infection vector — a standalone Windows tool — with a seemingly innocuous goal of ‘download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers’. This tool has seen several updates since initially published on GitHub on September 30, 2022. While it may appear useful for symbol information retrieval, it can download and execute arbitrary code from an attacker-controlled domain.
Other cybersecurity researchers have also come forward with analysing North Korean threat actors targeting security researchers. Mandiant reported in March that North Korea’s UNC2970 (also known as Temp Hermit) is targeting users on LinkedIn.
In August, a report came out detailing the risks faced by cybersecurity experts, not only in the cyber sphere but in real life, too.
As the investigation into this latest campaign continues, security researchers and organisations are urged to remain vigilant and prioritise robust cybersecurity practices to safeguard against these persistent threats from North Korea.