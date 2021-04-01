



A North Korean hacking group known to have targeted security researchers in the past has enhanced its game through the establishment of a fake offensive security company.

The threat actors, believed to be state-sponsored and supported by the North Korean ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021.

Google TAG, a specialist in tracking advanced persistent threat (APT) groups, said at the time that North Korean cyberattackers had established a fake profile web across social media such as Twitter, Keybase and LinkedIn. ..

“To build credibility and connect with security researchers, actors have established research blogs and multiple Twitter profiles to interact with potential targets,” Google said. “They use these Twitter to post links to blogs, post videos of claimed exploits, and amplify and retweet posts from other accounts they manage. I used a profile. ”

When members of the group reach out to the target, they ask if the intended victim wants to collaborate on cybersecurity research before submitting a malicious Visual Studio project that includes a backdoor. Alternatively, you can ask researchers to visit a blog full of malicious code, including browser exploits.

In an update posted on March 31, TAG’s Adam Weidemann tells a state-sponsored group to create a fake offensive security company with a new social media profile and branded website. Said that he changed his tactics.

A fake company called “Securi Elite” was founded on March 17th as securie lite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits.

A link to the PGP public key has been added to the website. Including PGP as a secure communication option is a standard practice, but groups have traditionally used these links as a way to direct targets to pages waiting to deploy browser-based exploits. It was.

In addition, Securi Elite’s “team” is being offered a new set of fake social media profiles. The attacker pretends to be a fellow security researcher, a recruiter at a cybersecurity company, and, in some cases, a “trend macro” HR manager. Not to be confused with the legitimate company Trend Micro.

Google’s team has linked a North Korean group to a zero-day attack in January and the use of Internet Explorer. The company is likely to have access to more exploits and believes they will continue to use them for legitimate security researchers.

“We reported all identified social media profiles to the platform so that the platform could take appropriate action,” says Google. “At this time, we have not confirmed that the new attacker’s website is providing malicious content, but we have added it to Google Safe Browsing as a precautionary measure.”

