Google’s Threat Analysis Group warned on Monday that North Korean threat groups have been targeting security researchers who work on vulnerability research and development in various organizations and companies.
The campaign involves threat actors who established a research blog and even created several Twitter accounts, intending to cozy up to security researchers.
The blog contains writeups and analyses of vulnerabilities that have been publicly disclosed. There are also guest posts from legitimate security researchers who were tricked into thinking that they were getting published on a legitimate site.
While some of the exploits on the blog are legitimate, some are not.
Trickery and deception
One of the illegitimate posts claims a working exploit for a recently disclosed Windows Defender vulnerability.
After establishing the fake bona fides, the hackers reach out to the security researchers and make an offer to collaborate. If the security researcher agrees to this, the hackers provide them with a Visual Studio Project containing source code for exploiting the vulnerability and an additional DLL.
The DLL is the tricky part, as it comes with custom malware that connects immediately with the command-and-control center, which the hackers can then take over.
The endgame was early access
According to Dirk Schrader, the global Veep of cybersecurity and compliance at New Net Technologies, it appears that the whole thing is an attempt to get access to several security researchers who have early information about vulnerabilities that have not yet been made public or seen exploitation in the wild.
If the campaign had not been detected, it is unclear how far they would have gone or how many researchers they would have tricked.
The outcome would have been the hackers using the early vulnerability discovery to exploit whatever they can target before it becomes mainstream.