North Korea-based threat actors are once again targeting security researchers via fake LinkedIn and Twitter accounts. According to Google's Threat Analysis Group (TAG), the attackers created a website for a fake company offering offensive security services.

What was discovered?

Google TAG, which specializes in hunting APTs, revealed that a North Korean government-sponsored hacking group has targeted security experts engaged in vulnerability research.
  • The attackers used fake personas on multiple social networks, such as LinkedIn and Twitter, to reach out or communicate with security researchers.
  • Moreover, a fake company profile was set up with the name SecuriElite and domain securielite[.]com, claiming to be a Turkey-based provider of penetration testing services.
  • This website was hosting attackers’ PGP public key that lured the visitors into visiting the site, which was not serving any malicious content, and instead used an Internet Explorer 0-day.

Similar attacks from past

Similar attacks were detected in January when a site was hosting the attackers' PGP public key. 
  • The key was used as a lure to infect security researchers with malware that executed browser exploits. However, the attacks were detected earlier before the SecuriElite site wasn't set up to spread any malicious payloads.
  • After initial communications, the attackers asked the targeted researcher to work together on vulnerability research and then provided the researcher with a Visual Studio Project.
  • The Visual Studio project had malicious code spreading a backdoor that contacts a remote CnC server and waits for commands. 
  • The backdoor is identified as Manuscrypt (also known as FALLCHILL) and used by the Lazarus APT.

Conclusion

The motive behind targeting security researchers is supposedly to steal exploits for vulnerabilities discovered by targeted researchers. These vulnerabilities could be potentially deployed or used in future attacks. Therefore, security researchers and professionals must stay vigilant when an unknown person contacts them using social media.

Cyware Publisher

Publisher

Cyware