Unveiling New Technologies and the Power of AI

North Kauslim hem cov neeg ua yeeb yam siv Zero-Hnub kab laum rau Target Cybersecurity Community

ByGabriel Botha

Sep 8, 2023
Threat actors associated with North Korea have been using a zero-day bug in undisclosed software to infiltrate the cybersecurity community. Google’s Threat Analysis Group (TAG) uncovered this ongoing attack, in which the adversary creates fake accounts on social media platforms like X and Mastodon to establish relationships and gain trust with potential targets.

The attackers engage in long conversations with security researchers and eventually move the communication to encrypted messaging apps such as Signal, WhatsApp, or Wire. Through social engineering tactics, they introduce a malicious file containing at least one zero-day vulnerability into popular software. The vulnerability is currently being addressed.

The payload of the attack includes anti-virtual machine (VM) checks and collects information from the infected machine, including a screenshot, which is then transmitted back to the attacker-controlled server.

This is not the first time North Korean actors have used collaboration-themed lures to infect victims. In a previous npm campaign, the attackers employed fake personas to target the cybersecurity sector. They convinced targets to clone and execute contents from a GitHub repository.

Further investigation by Google TAG also revealed a Windows tool called “GetSymbol,” developed by the attackers and hosted on GitHub, which served as a potential secondary infection vector.

This recent attack aligns with the activities of other North Korean threat actors. The AhnLab Security Emergency Response Center (ASEC) discovered that ScarCruft, a North Korean nation-state actor, is using LNK file lures in phishing emails to distribute a backdoor capable of harvesting sensitive data.

It has also been noted that North Korean threat actors have been targeting the Russian government and defense industry while providing support to Russia in its conflict with Ukraine. Additionally, Lazarus Group, another North Korean actor, was implicated in the theft of $41 million in virtual currency from an online casino and betting platform.

These cyber operations carried out by North Korean threat actors aim to collect intelligence on perceived adversaries, gather information on other countries’ military capabilities, and accumulate cryptocurrency funds for the state.

Qhov chaw:
– Google Threat Analysis Group (TAG)
– AhnLab Security Emergency Response Center (ASEC)
- Microsoft

