



Digital North Korean Flag A Group of Hooded Hackers Shining Through the Concept of Cyber ​​Security

Michael Borgers, Getty Images / iStockphoto

Google said today that a North Korean government hacking group has targeted members of the cybersecurity community engaged in vulnerability investigations.

The attack was discovered by the Google Threat Analysis Group (TAG), a Google security team that specializes in hunting advanced persistent threat (APT) groups.

In a report released today, Google uses fake personas to contact security researchers using multiple profiles on various social networks such as Twitter, LinkedIn, Telegram, Discord, and Keybase by North Korean hackers. I said I did.

In some cases email was also used, according to Google.

After establishing initial communication, Google TAG security researcher Adam Weidemann said, “After establishing initial communication, an attacker asks the researcher if they want to cooperate in a vulnerability study and offers the researcher a Visual Studio project. I will do it. “

The Visual Studio project contained malicious code that installed malware on the target researcher’s operating system. The malware acted as a backdoor, connecting to a remote command and control server and waiting for commands.

A new mysterious browser attack has also been discovered

However, Wiedemann said attackers do not always target malicious files.In some other cases, they asked security researchers to visit the blogs they hosted on their blogs.[.]br0vvnn[.]io (do not access).

Google said the blog hosts malicious code that infects security researchers’ computers after visiting the site.

“A malicious service has been installed on the researcher’s system and a backdoor in memory has launched a beacon to an actor-owned command and control server,” Weidemann said.

However, Google TAG also added that many victims who visited the site were also running “the latest fully patched Windows 10 and Chrome browser versions” and were still infected.

Details about browser-based attacks are still inadequate, but some security researchers may have used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy malicious code by a group of North Koreans. I think it’s expensive.

As a result, the Google TAG team is now asking the cybersecurity community to share attack details if there are security researchers who appear to be infected with the attack.

The Google TAG report contains a list of links to fake social media profiles that North Korean actors used to seduce and deceive members of the infosec community.

Security researchers are encouraged to check their browsing history to see if they have interacted with any of these profiles or if they have accessed the malicious blog.br0vvnn.io domain.

Image: Google

If you are infected, you are likely to be infected and you will need to take certain steps to investigate your own system.

The reason for targeting security researchers is to exploit the vulnerabilities discovered by infected researchers in the North Korean group, which threat groups can deploy in their own attacks with little or no development cost. It’s pretty obvious because it can be stolen.

Meanwhile, some security researchers have already disclosed on social media that they received a message from the attacker’s account, but no one has admitted that the system has been compromised.

warning! I was able to confirm that this was true and was hit by @ z0x55g who sent me a PoC trigger for the Windows kernel. This vulnerability was realistic and complicated to trigger. Fortunately, I ran it only on the VM. The VMDK I was finally using was actually corrupted and couldn’t boot, so I self-implosioned https://t.co/dvdCWsZyne.

Richard Johnson (@richinseattle) January 26, 2021

