ZINC: Another Actor Targeting Security Researchers

What has been discovered?

• In mid-2020, Zinc started building its reputation in the security research community by retweeting high-quality security content and posting about exploit research on Twitter.
• The threat actors would then amplify these tweets using additional sock-puppet Twitter accounts under their control. This tactic allowed the group to earn a prominent security researcher's title.
• After that, the attacker would contact targeted researchers to work together on vulnerability and exploit research. Whoever agrees, receives a Visual Studio project with malicious DLL that executes when the project is compiled.
• This DLL can lead to the installation of a backdoor threat that would allow the attackers to obtain information, executing commands on a computer, and hands-on-keyboard action.

Additional attack vectors

• In addition to the malicious Visual Studio project, the threat actors were observed to be sharing a link to a blog post on their website that included an exploit kit using 0-day or patch gap exploits. 
• In addition, the threat actors were found to be spreading blog posts as MHTML files that can reach back to domains controlled by ZINC for further execution of malicious javascript.
• In addition, they tried to exploit the CVE-2017-16238 vulnerability in a driver for the antivirus product identified as Vir.IT eXplorer and using a Chrome password stealer to gather information.

Conclusion