iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers at Google have caught North Korean threat actors actively pursuing cyber security researchers in a campaign reminiscent of one observed in late 2020.
Google Threat Analysis Group (TAG) is still investigating the campaign but has disclosed its early findings by way of warning to its fellow researchers.
The threat actor – which TAG is not identifying at this time – first targets security researchers via social media, such as the platform formerly known as Twitter. One target was softened up for months, with the threat actor posing as a similar researcher proposing some degree of collaboration on a project.
Once a relationship is established, the threat actor moves the conversation to an encrypted platform such as WhatsApp or Signal.
“Once a relationship was developed with a targeted researcher,” TAG wrote in a blog post, “the threat actors sent a malicious file that contained at least one 0-day in a popular software package”.
The malicious code checks to see if it is running inside a virtual machine before collecting information about the target system, including a screenshot and then sending that back to the threat actor’s command and control infrastructure.
The shellcode observed in this operation matches that used in previous North Korean campaigns.
In addition to the social engineering campaign, the threat actor has also developed what appears to be a useful debugging tool – called the GetSymbol Project – designed to “download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers”, according to the hackers themselves.
“On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources,” TAG said.
“But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain. If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system.”
Google’s research team has shared its findings with the targeted researchers and will share more information as it comes to hand.
“We are committed to sharing our findings with the security community to raise awareness and with companies and individuals that might have been targeted by these activities,” TAG said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
