North Korean Hackers Rely on Social Media to Target Security Researchers

Threat analysts from Google warn of a current malicious campaign aimed at vulnerability researchers and Red Team members. Reportedly, a North Korean nation-backed actor stands behind this operation, leveraging novel social engineering methods to approach individual security practitioners via bogus social media profiles.

Attack Against Security Researchers

The campaign overview from the Google Threat Analysis Group (TAG) estimates that the North Korean nation-backed collective crafted a dedicated blog and a broad network of fake social media accounts to infect threat hunting enthusiasts with malware. Particularly, threat actors posed as researchers working on vulnerability detection and exploit development to creep into trust and strike up an online conversation with their alleged colleagues. 

Hackers decided to cover as many communication channels as possible, creating accounts on Twitter, LinkedIn, Telegram, Keybase, and Discord. Some of the attempts were conducted even via emails. 

Once hooked into the chat, adversaries proposed researchers cooperate on bug analysis and sent them a malware-laced Visual Studio project. This project was evidently aimed at backdoor Trojan delivery, providing hackers with control over the targeted PC. Additionally, users were encouraged to visit a blog. The blog contained articles on exploit analysis and fictitious videos on alleged proof-of-concept (PoC) exploits in action, promoting targeted experts to comment on the content. However, in case visited, the website dropped a malicious code onto all instances accessing this page.

Notably, even users of the latest Windows 10 version running a fully-patched Chrome browser found their devices compromised. The investigation is ongoing, however, experts consider threat actors utilized a set of 0-days for Windows 10 and Chrome to infect victims with their custom Trojans. The malicious software has lots in common with the tools of the infamous Lazarus group working on behalf of the North Korean government.

The main goal of this operation, launched several months ago, seems transparent. Adversaries developed a new social engineering lure to mislead experts and enrich the malicious toolkit with previously undetected vulnerabilities. Having such valuable data, APT actors might reach an unprecedented advantage while attacking high-profile targets, with no costs and time spent on exploit development.

Attack Detection

This notorious attack is still under investigation, so all the affected security analysts are urged to share their insights and additional data with the community. To enhance the defense against the intrusion, SOC Prime team urgently released detection content, so all researchers suspecting possible abuse could check their system for compromise. Feel free to download a corresponding Sigma rule from our Threat Detection Marketplace platform: 

https://tdm.socprime.com/tdm/info/HgPG9NGdS5UB/__m-P3cBTwmKwLA9By4Q/

The rule has translations for the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness

EDR: Carbon Black, Microsoft Defender ATP

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion

Techniques: Trusted Developer Utilities (T1127)

Also, catch up on the latest contributions from our Threat Bounty developers aimed at proactive defense from this threat:

North Korean Campaign Targeting Security Researchers


Lazarus Group Targeting Security Researchers (via sysmon)

Update 01/29/2021: Microsoft released an in-depth report providing additional technical details on the attack kill-chain. To address new challenges revealed during the investigation, our threat hunting engineer and speaker on Security Talks with SOC Prime, Adam Swan, developed an additional detection rule. We’ve opened this premium SIGMA rule for free, so all could search for unusual rundll32 arguments and detect the malicious dropper. Stay safe!

LOLBAS rundll32 Without Expected Arguments (via cmdline)

Follow the upcoming Threat Detection Marketplace releases in order to not miss fresh SOC content items related to this delusive campaign. All the affiliated detections will be added to this blog post.

Subscribe to Threat Detection Marketplace for free and stay tuned with the most relevant SOC content designed to withstand cyber attacks on the earliest stages of their lifecycle. Enthusiastic with participation in global threat hunting initiatives? Join our Threat Bounty Program and get rewarded for your contribution.