ZINC: Another Actor Targeting Security Researchers

An ongoing attack campaign was first discovered and reported by Google’s Threat Analysis Group (TAG) a week ago. Now, the same campaign has been monitored by Microsoft.

What has been discovered?

Zinc, a North-Korea based group of hackers, has been observed targeting security researchers working on vulnerability research and development. The attack campaign has been focused on pentesters, offensive security researchers, and security firm employees.
  • In mid-2020, Zinc started building its reputation in the security research community by retweeting high-quality security content and posting about exploit research on Twitter.
  • The threat actors would then amplify these tweets using additional sock-puppet Twitter accounts under their control. This tactic allowed the group to earn a prominent security researcher's title.
  • After that, the attacker would contact targeted researchers to work together on vulnerability and exploit research. Whoever agrees, receives a Visual Studio project with malicious DLL that executes when the project is compiled.
  • This DLL can lead to the installation of a backdoor threat that would allow the attackers to obtain information, executing commands on a computer, and hands-on-keyboard action.

Additional attack vectors

  • In addition to the malicious Visual Studio project, the threat actors were observed to be sharing a link to a blog post on their website that included an exploit kit using 0-day or patch gap exploits. 
  • In addition, the threat actors were found to be spreading blog posts as MHTML files that can reach back to domains controlled by ZINC for further execution of malicious javascript.
  • In addition, they tried to exploit the CVE-2017-16238 vulnerability in a driver for the antivirus product identified as Vir.IT eXplorer and using a Chrome password stealer to gather information.

Conclusion

Since the discovery of SolarWinds attacks and other recent attacks on security agencies, it seems that security researchers and professionals have become a hot target for cyberattacks across the globe. Thus, experts suggest researchers separate their research activities from general web browsing, interacting with others in the research community, and accepting files from third parties.

Cyware Publisher

Publisher

Cyware