.png)
Over the past few months, hackers have been trying to surreptitiously backdoor the computer systems of a number of security researchers working on vulnerability research and development at different companies and organizations, the Google Threat Analysis Group (TAG) has revealed on Monday.
The hackers’ tactics
The hackers, who Google TAG believes are backed by the North Korean government, first created a blog, populated it with posts write-ups about vulnerabilities that have been publicly disclosed, then created Twitter, LinkedIn, Keybase, and Telegram accounts with fake personas and used them to try to contact the targeted security researchers directly.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Google TAG researcher Adam Weidemann explained.
“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
This clever approach was supplemented with another: they would share a link to the blog with the target researchers, and asked them to check out a write-up.
“Shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidemann noted.
It seems that the attackers might have exploited a zero-day Chrome vulnerability to pull off the compromise, though the team says that they are still unable to confirm the mechanism of compromise.
Have you been targeted?
Google TAG has shared a list of Twitter, LinkedIn, Keybase, and Telegram accounts the attackers used, the URL of the malicious blog, the URLs of command and control domains, malware hashes and host-related indicators of compromise.
The release of all this information prompted some of the targeted researchers to share their experiences:
Reverse engineer and threat intelligence analyst Kevin Perlow has also analyzed some of the malware used in these attacks.
“To date, we have only seen these actors targeting Windows systems as a part of this campaign,” Weidemann concluded.
“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
from Help Net Security https://ift.tt/3iKX7Bj
0 comments:
Post a Comment