Google’s TAG Uncovers New Campaign Targeting Security Researchers

In a blog post published today, Threat Analysis Group – Google’s security research arm – warned of a new type of socially-engineered campaign targeting security researchers.

Over the past several months, the Threat Analysis Group writes, they have been observing a new type of campaign targeting security researchers involved in vulnerability research and development at various companies and organizations. 

They attribute this campaign to a government-backed entity based in North Korea. 

The threat actors had a blog and multiple Twitter profiles they used to build credibility and interact with potential targets. 

A screenshot of 4 actor controlled Twitter profiles: @z0x55g, @james0x40, @br0vvnn and @BrownSec3Labs

They went to great lengths to make them look legitimate. Their blog even contains quest posts by legitimate security researchers.

IN the blog post, TAP researchers warn about a novel social engineering method the cybercriminals used in these attacks. They established initial contact on social media, then they would ask the targeted researchers if they wanted to collaborate on vulnerability research. And then they would invite the researcher into a Visual Studio Project. The project contained a malicious source code and a DLL malware that would immediately start communicating with C2 domains of the spies. 

The researchers have also been compromised after visiting the actors’ blog if they followed opened a Twitter link to a post hosted on blog.br0vvnn[.]io. A malicious code  would then be installed on the researcher’s system, and an in-memory backdoor would start communicating with the attackers’ command and control server. Important to mention that the victim systems were running up-to-date Windows 10 and Chrome browser. 

This an ongoing investigation. And TAP researchers encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP.

The TAG researchers also remind the security research community that they are targets to government-backed attackers and must remain vigilant when engaging with individuals they have not previously interacted with.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.