North Korea’s hackers homed in on specific infosec researchers and infected their systems with a backdoor after luring them to a suspicious website, Google revealed on Monday.
The internet giant’s Threat Analysis Group said Pyongyang’s snoops would send private messages to their targets – primarily folks investigating security vulnerabilities – via Twitter, LinkedIn, Telegram, Discord, Keybase or plain ol’ email, and try to lure them to a blog promising details of exploitable bugs.
However, after surfing to that website, the researchers discovered malware had been injected into their PCs and was running stealthily in the background. It’s assumed the webpage was able to exploit one or more holes in the victims’ browsers and systems to achieve this, though the exact methods are not fully known right now.
“The researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” said Googler Adam Weidemann.
“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have.”
Researchers would also be offered Visual Studio projects said to contain exploit code. These files included a DLL, run via Visual Studio Build Events, that connected to a remote server to fetch and execute its masterminds’ instructions.
Stuck inside with time on your hands? The US govt would like to remind you it’s paying $5m for Nork hacking scalps
This was a long-con. Over several months, Kim Jong Un’s spies set up a plausible-looking blog covering security vulnerabilities, along with multiple social media accounts, and even recruited unwitting legitimate security researchers to guest post on the site.
It wasn’t a perfect operation. On January 14, the operators posted on YouTube how they exploited Windows Defender vulnerability CVE-2021-1647, though the attempt was obviously faked. The team used another social media account to defend the video when people called them out on it.
The attacks are attributed to North Korea by Google, and the Chocolate Factory has posted a full list of dodgy online accounts and profiles, domains, and file paths associated with the campaign in its report, linked above.
Whoever was behind it, they were, it appears, looking to glean new and valuable vulnerabilities and other intelligence from their targets’ private research. Now it’s the case that if anyone can figure out how the North Koreans got into their victims’ PCs, there’s a pretty penny to be made with those exploits – preferably by getting the flaw fixed via a bug bounty.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Weidemann concluded. ®