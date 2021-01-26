- Advertisement -

Google Threat Analysis Group (TAG) has announced that North Korean hackers are implementing a new method of social engineering to attack security researchers.

Hackers have reportedly been using social platforms like Twitter, LinkedIn, Telegram, Discord, and Keybase to reach out to security researchers. The group of cybercriminals has created a fake account series in these networks to have more credibility while interacting with potential victims.

What is this type of attack based on social engineering?

Hackers use social profiles to redirect researchers to a blog and exploits. The surprising thing here is that computers get infected just by visiting the website. Even running the latest patched versions of Windows 10 and Chrome.

It seems that the security of Microsoft’s operating system or that of the technology giant’s browser works on these pages. Quite a worrying situation. In this regard, Adam Weidemann, security researcher at Google TAG said:

“… A malicious service was installed on the investigator’s system and a backdoor in memory would begin to send signals to a command and control server owned by the actor.”

In addition to this, hackers also use email as a hook. In this, “after establishing initial communications, actors would ask the target researcher if they wanted to collaborate on vulnerability research together and then provide the researcher with a Visual Studio project,” Weidemann said.

However, the project included malicious software “that installed malware on the target researcher’s operating system.” This code was associated with Lazarus Group, a group of North Korean cybercriminals.

KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. “Manuscrypt” (also known as FALLCHILL) is typically used by the Lazarus APT. 👉 pic.twitter.com/hXxuJIj9Lc – Costin Raiu (@craiu) January 26, 2021

“KTAE code similarity analysis for the malware used targets security researchers involved in the analysis and development of 0day. “Manuscrypt” (aka FALLCHILL) is commonly used by Lazarus APT, “the tweet reads.

Google TAG requests details about the attacks

Google TAG is asking security researchers believed to be infected to send details about the attack. This is to study in depth what the attack consists of, in addition to evaluating why the defense of Google and Microsoft are not working.

Similarly, the Google TAG team recommends that the cybersecurity community review their browsing histories to find out “if they interacted with any of these profiles or if they accessed the malicious blog.br0vvnn.io domain.”

Thus, Google urges security researchers to be vigilant on their networks and not interact with unknown accounts, as the intentions of these cybercriminals are unknown.

