Menu
Google warns of North Korean hackers using ‘novel social engineering method’

Google warns of North Korean hackers using ‘novel social engineering method’

Twitter, LinkedIn and email are just some of the touchpoints used as part of the method.

Credit: Dreamstime

Google’s Threat Analysis Group has flagged an ongoing campaign targeting security researchers, alleging that a government-backed entity based in North Korea is abusing social media to send malware. 

According to a blog post by the Threat Analysis Group’s Adam Weidermann, the entity is allegedly using a combination of social media, Visual Studio Projects containing malware and compromised blogs to target systems running Windows. 

In a move labelled by Weidermann as “a novel social engineering method”, the actors have been communicating with specific security researchers through a number of different forms of communication over several months, with Twitter, LinkedIn, Telegram, Discord, Keybase and email identified as touchpoints for the method. 

Through these, he said the actors would ask if the researchers wanted to collaborate with them on vulnerability research via a Visual Studio Project.  

"Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Weidermann said. “The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.” 

The campaign has relied on a network of Twitter profiles and a blog, with actor-controlled accounts posting links to blog posts containing analysis of publicly disclosed vulnerabilities and “guest” posts from alleged unwitting legitimate security researchers, along with video footage of supposedly newly-discovered security exploits.  

Other actor-controlled Twitter profiles would then retweet this information, amplifying the blog posts and videos. 

While not all claims of the exploits were verified by the Threat Analysis Group, the Google blog post claimed there was at least one instance of a YouTube video showing an exploit being faked.  

The video contained supposed footage of an exploit of CVE-2021-1647, but comments posted to the video identified the exploit as fake. Following the comments, another actor-controlled Twitter account retweeted the original post and added “I think this is not a fake video”.  

Some of the researchers were also compromised through the blogs themselves, with those affected having services installed on their systems that would allow an in-memory backdoor to beacon to an actor-owned command and control server. 

The mechanics behind the blog compromise is unknown, but Weidermann said that the Group would welcome any information on the topic. 

“If you are concerned that you are being targeted, we recommend that you compartmentalise your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” he added. 


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags LinkedInGoogletwitterThreat Analysis Group

Brand Post

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments