North Korean Hackers Pose as Cybersecurity Experts to Spread Malware


Google's Threat Analysis Group cybersecurity team has identified an ongoing campaign targeting security researchers who study software vulnerabilities. According to experts, the campaign has been going on for several months, and behind the attacks is "a government-backed organization based in North Korea." Criminals usually use social engineering to build trust with victims.


Attackers create their own research blogs in which they publish analysis of known vulnerabilities, posing as legitimate experts. The hackers also maintain Twitter accounts and post videos of their claimed research, attracting as many people as possible. In one case, Google discovered that hackers shared a YouTube video on Twitter with the alleged successful exploitation of a Windows Defender vulnerability ( CVE-2021-1647 ). When comments began to appear under the video that the exploit was not working, they created another Twitter account with which they wrote that the video was not fake.


The attackers sent messages to their alleged victims and asked for help in investigating vulnerabilities. Besides Twitter, they also use LinkedIn, Telegram, Discord, Keybase, and email to contact their targets and send them a Microsoft Visual Studio malware project. In some cases, victims' computers were compromised after visiting the attacker's blog after following a link on Twitter. Both methods resulted in the installation of a backdoor on the computers of the victims, which connected them to a C&C server controlled by the attackers.


Victims' systems were compromised with fully patched and modern versions of Windows 10 and Chrome browser. The Google TAG is urging researchers to submit vulnerabilities to Chrome as part of the Issue Bounty Program.

Previous Post Next Post