North Korean Hackers Use 0-Day Exploits to Attack Security Researchers

Google’s Threat Analysis Group (TAG) has issued an update regarding an ongoing campaign by North Korean threat actors targeting security researchers. 

This campaign, which first came to light in January 2021, involved using 0-day exploits to compromise the security of researchers engaged in vulnerability research and development.

Over the past two and a half years, TAG has diligently tracked and disrupted multiple campaigns orchestrated by these North Korean actors, unearthing 0-day vulnerabilities and safeguarding online users. 

Recently, TAG identified a new campaign bearing similarities to the previous one. Disturbingly, they have confirmed the active exploitation of at least one 0-day vulnerability in the past few weeks, prompting them to take immediate action.

TAG has reported this vulnerability to the affected vendor, and efforts are underway to patch it. 

While their analysis of this campaign is ongoing, TAG has chosen to provide early notification to the security research community. 

This is a stark reminder that security researchers can become targets of government-backed attackers, underscoring the importance of maintaining vigilance in security practices.

The tactics employed by these North Korean threat actors mirror those from the prior campaign. 

They contact potential targets through social media platforms such as X (formerly Twitter) and gradually build trust. 

Once a rapport is established, they transition to encrypted messaging apps like Signal, WhatsApp, or Wire. 

Subsequently, the threat actors send malicious files containing at least one 0-day exploit hidden within popular software packages.

Upon successful exploitation, the malicious code performs a series of anti-virtual machine checks and transmits the collected data, including screenshots, to a command and control domain controlled by the attackers. 

The shellcode used in these exploits exhibits similarities to previous North Korean exploits.

In addition to 0-day exploits, these threat actors have developed a standalone Windows tool to download debugging symbols from central symbol servers, including Microsoft, Google, Mozilla, and Citrix. 

However, this tool can also download and execute arbitrary code from attacker-controlled domains, posing a significant risk to those who have used it.

TAG strongly advises individuals who have downloaded or run this tool to take precautions, including ensuring their systems are clean, which may require complete OS reinstallation.

As part of its commitment to combating these severe threats, TAG utilizes its research findings to enhance the safety and security of Google’s products. 

They swiftly add identified websites and domains to Safe Browsing to protect users from further exploitation. 

Additionally, TAG notifies targeted Gmail and Workspace users of government-backed attacker alerts, encouraging potential targets to activate Enhanced Safe Browsing for Chrome and ensure their devices are up-to-date.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.