Google

A North Korean government-backed hacking group targets security researchers who focus on vulnerability and exploit development via social networks, disclosed Google tonight.

According to a report released tonight by Google’s Threat Analysis Group, a North Korean government-backed hacking group uses social networks to target security researchers and infect their computers with a custom backdoor malware.

The threat actors create fake Twitter profiles and blogs to build a fake persona as a security researcher. These accounts are then used to contact targeted security researchers via social media, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email.

Social media accounts used in this campaign
Social media accounts used in this campaign
Source: Google

As part of this fake persona building, the threat actors write articles analyzing existing vulnerabilities or create videos showing off PoCs they allegedly developed.

In one case seen by Google, the threat actors were called out for a fake PoC video and began to create Twitter sock puppet accounts to refute the claims that the PoC is fake.

“Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video,” Google explained in their report.

After establishing contact with a security researcher, the threat actors would ask if they would like to collaborate on vulnerability research or exploit development. As part of this collaboration, the threat actors would send a Visual Studio project to the researcher that contained their PoC exploit, as well as a malicious hidden DLL named ‘vcxproj.suo.’

When the researcher tried to build the PoC exploit, a pre-build event would execute a PowerShell command that checks if the user is running 64-bit versions of Windows 10, Windows Server 2019, and Windows Server 2016.

If the checks pass, the PowerShell command will execute the malicious DLL via rundll32.exe.

PowerShell pre-build event
PowerShell pre-build event
Source: Google

Google states that this DLL is a custom backdoor injected into memory and will call back to a command and control server for commands to execute.

Google states that some researchers were also infected simply by visiting an exploit writeup at the threat actor’s blog.br0vvnn[.]io site.  These researchers used fully patched Windows 10 devices with the latest Google Chrome, indicating that the threat actors were using zero-day vulnerabilities to infect their visitors.

While Google has not stated the ultimate goal for these attacks, it was likely to steal undisclosed security vulnerabilities and exploits based on the targeted users.

Google states that the Twitter accounts used in this hacking campaign are br0vvnn, BrownSec3Labs, dev0exp, djokovic808, henya290 , james0x40, m5t0r, mvp4p3r, tjrim91, and z0x55g.

A full list of IOCs can be found at the end of Google’s report.

Security researchers reveal they were targeted

Since Google published their story, security researchers who were targeted in this campaign have started to share their experiences.

Google offers the following advice for those concerned this hacking group is targeting them.

“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” advises Google’s Threat Analysis Group.