Campaign targeting cybersecurity researchers detected

Posted date 28/01/2021

Google has identified an ongoing campaign targeting cybersecurity researchers working on study of vulnerabilities across multiple companies and organizations, suspected to be perpetrated by an entity which belongs to the North Korean government, the company said.

The cybercriminals are also reported to have a blog and multiple profiles on communication platforms, such as Twitter, LinkedIn, Telegram, Discord, Keybase and email, to carry out the cyberattacks identified so far.

On the one hand, the attackers have employed social engineering against the researchers to infect their systems. Firstly, the technique consisted of contacting the victim and asking if they would like to collaborate jointly in vulnerability research. Then it provides a Visual Studio project that contains, in addition to the vulnerability exploit, a DLL, which is a custom malware to communicate with the C&C domains controlled by the attackers.

On the other hand, other researchers' computers have also been infected, following a currently unknown mechanism, after visiting a blog post via a Twitter link. In this case, a malicious service is installed which establishes a backdoor to the victim's memory.

Google urges researchers not to interact with unknown people and to separate their professional activity from their daily activities, using different physical devices or virtual machines.

[Update 31/03/2021] Cybercriminals have created a new website associated with a fake company called «SecuriElite» which offers pentests and security assessments of software and exploits. There is not any evidence that this website offers malicious content, but it has a link to the PGP public key which acted as lure for triggering a browser exploit in the case of the blog. It is kept on Google Safebrowsing as a precaution.