Google’s Threat Analysis Group (TAG) warns of a hacker group reaching out to targets on social media for deploying zero-day exploits.
The group, tracked by Google researchers for quite some time, has recently upgraded its tactic by posing as a new fake security firm, TAG’s Adam Weidemann said in an update posted on March 31.
A North Korean hacking group was first documented by Google’s TAG in January 2021. The group believed to be state-sponsored and backed by North Korea’s ruling party created a website belonging to a fake security firm to add credibility when they contact targets on Twitter, Keybase, and LinkedIn.
“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. Thee hackers used multiple Twitter profiles for posting links to their fake blog, videos of the exploits they claimed to have detected, and retweeting posts from their other accounts.”
They invited their targets to collaborate on cybersecurity research after which they sent the victims a malicious Visual Studio project containing a backdoor. The hackers are also known to use PGP, a standard practice for secure communication, as a lure to attract their targets to a page where a browser-based exploit was deployed.
TAG’s Adam Weidemann said that the Korea-sponsored group has now created a fake security company, along with new social media profiles and a branded website, for their offensive activities.
“SecuriElite,” the fake company, was set up on March 17, claims to be based in Turkey, and operates on securielite[.]com. The firm offers testing services, software security assessments, and exploits security.
The threat actors, posing as security researchers, recruiters for cybersecurity firms, and in one case, an employee of “Trend Macro,” has been making contact with targets in the cybersecurity sector through new fake social profiles. Google has since reported the corresponding social media companies about the illicit activity from these accounts.
“We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google says. “At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.”