Cybersecurity researchers and other security experts are in the crosshairs of threat actors. In a new blog post, Google’s Threat Analysis Group reveals the results of research about a new social engineering campaign targeting cybersecurity researchers. The Threat Analysis Group believes the attacks originate from North Korea with state-sponsored backing (though this is just a working theory).
Cybersecurity researchers are prime targets for numerous attacks, social engineering included, but this campaign appears to be more complex than others. The threat actors use a well-constructed alias that makes them appear as a fellow InfoSec researcher looking to collaborate. They use this to execute their infection through various means then.
The Google Threat Analysis Group describes the attack campaign, which has a multifaceted approach, as follows:
After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains... In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
The social media connection to this attack cannot be overlooked, as it has become a prime vector for social engineering attacks of all kinds. LinkedIn, Twitter, and many other common websites are used as a primary attack vector. These websites are privacy and security landmines waiting to go off on the best of days, especially due to their data collection and dubious security protocols. Add-in high levels of visibility, and you can become a primary target without much effort. This attack campaign should cause InfoSec professionals, in particular, to reconsider using social media at all. For that matter, the world would be safer and more private without these sites.
Featured image: Designed by Vectorjuice / Freepik