North Korean hackers target security researchers with zero-day exploit

North Korean threat actors are once again attempting to compromise security researchers’ machines by employing a zero-day exploit.

The warning comes from Google’s own security researchers Clement Lecigne and Maddie Stone, who detailed the latest campaign mounted by government-backed attackers.

Security researchers targeted with zero-day

The attackers initially contacted the researchers through social media (e.g., X, formerly Twitter, or Mastodon) on the pretense of collaborating on security research. After they moved the conversation to end-to-end ecnrypted IM apps (Signal, WhatsApp or Wire) and established trust, they would deliver a malicious file containing a zero-day exploit.

security researchers zero-day compromise

Actor-controlled X profile. (Source: Google)

“Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain,” Lecigne and Stone said.

The attackers also tried another trick: they pointed the researchers towards a Windows tool (GetSymbol) that downloads debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers, but is also capable of downloading and executing arbitrary code from an attacker-controlled domain.

“If you have downloaded or run this tool, [Google] TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system,” the researchers advised.

Google has yet to reveale which software is affected by the exploited the zero-day.

“The vulnerability has been reported to the affected vendor and is in the process of being patched. Once patched, we will release additional technical details and analysis of the exploits involved in line with our disclosure policies,” they added.

A new campaign

A similar campaign was revealed in January 2021, when threat actors, believed to be backed by the North Korean government, created accounts on Twitter, LinkedIn, Keybase, and Telegram to directly contact security researchers. (Microsoft also detailed that campaign.)

After establishing trust, they shared a link, asking the researchers to check the content. This would prompt the installation of a malicious service and a backdoor beaconing to a threat actor’s C2 server.

Don't miss