Google Threat Analysis Group has detailed a new campaign where the North Korean state-backed hackers are targeting security researchers through social media. While asking them to collaborate on researching the new exploits, they’re sending them software and URLs that install backdoors on systems, probably for stealing their research work.
Security Researchers Targeted With a Backdoor Campaign
Hunting the hunter is a different game, which is now played by North Korean state-backed hackers as spotted by Google’s Threat Analysis Group. They detailed a campaign where the security researchers are being targeted on various social media platforms like Keybase, LinkedIn, Twitter, E-mail, Discord, and Telegram.
New blog post from TAG with details of a North Korean campaign targeting security researchers working on vulnerability research and development.https://t.co/Ec2TaMMXeQ
Stay safe out there everyone!
— Shane Huntley (@ShaneHuntley) January 26, 2021
Hackers here are creating fake profiles and messaging researchers for collaboration, and when agreed they’d send a Visual Studio project having a PoC of their work, which also contains a malicious DLL for setting a backdoor. Hackers here are creating blog posts and some fake PoCs of existing vulnerabilities to make targets believe.
Once opened, it will check for the OS type and will execute the malicious DLL through rundll32.exe. This is injected into the memory and will connect to the hacker’s C2 for communication for receiving commands. Also, some have reported that their systems being hacked after visiting a website blog.br0vvnn[.]io (do not open).
Twitter accounts spotted in this campaign (br0vvnn, BrownSec3Labs, dev0exp, djokovic808, henya290, james0x40, m5t0r, mvp4p3r, tjrim91, and z0x55g) are having this URL in their bio and wanted targets to click on them. While the exact purpose of this campaign isn’t known yet, it’s assumed to be for stealing the work of those targeted researchers.
Also, it’s noted that all the targets are running the latest version of Windows 10 and Google Chrome, yet infected. This tells that the hackers are using zero-day exploits for infecting targets. Thus, Google advised researchers to compartmentalize their research works and use virtualization software for installing such suspicious software.