On a Google blog post, the Threat Analysis Group believes that over the past several months, the North Korean Hackers are pretending to be cybersecurity bloggers, and are running a campaign to target researchers who are working on the Vulnerability and Development Department at different companies and organizations. Also, the campaign is attributed to be backed up by governing entities in North Korea.
Google says that the attackers created multiple fake profiles on Twitter, LinkedIn in order to reach out to the potential targets. These actors created a genuine research blog, that contains well written-up articles and analysis on vulnerabilities, that were publicly disclosed to get engaged with their targets.
Adam Weidemann mentions, “In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and amplifying and retweeting posts from other accounts that they control” in his blog post at Google’s Update from Threat Analysis Group.
Source: Google updates from TAG
One thing to find common in all of the actor’s profiles is a link to a blog post where they post their researched articles. The link addresses as https://blog.br0vvnn[.]io (note:- do not visit, at your own risk) and can be seen on the Twitter profile of every actor.
Although Google currently seems unable to verify the authenticity or working status of all the exploits, these actors have posted in their profile. Google finds that one of its claims about exploiting CVE-2021-1647 in a video is fake. The youtube video was shared on Jan 24, 2021, by one of the actors in his Twitter profile. After the video got many comments from viewers as that can be relatively fake, it was again reshared by one of the actors claiming that the video “as a not fake video” in his Twitter profile.
There were several retweets of the post from profiles of actors. Google mentioned that the hackers used this account to get credibility in front of the different security researchers. They also used social platforms like LinkedIn, Telegram, Discord, Keybase, and emails to engage with their targets.
Weidemann says that they have practiced a “novel social engineering method” to target different security researchers. He further added,
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project”.
After setting up an initial connection with the researchers, the actors then shared some files with the researchers that contained the malware- a program that hampers the user’s system and resources.
Also, Google notices that after the researchers visited the actor’s research blog post on their Twitter account, malicious software was installed on the researcher’s computer that would open an in-memory backdoor would run of which the actors had full command over its system.
Google’s Adam Weidemann says, all the researchers were using a fully updated Windows 10 operating system and had the latest versions of Google Chrome Browser. He also adds, “At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome’s Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.”
Although Google’s Threat Analysis Group is unable to find the researchers that are targeted, google’s TAG created a list of accounts and websites that can be potentially harmful to come in contact with. The list contains 10 Twitter accounts of Actors, 1 research blog post, and several LinkedIn profiles, Key bases, C2 Domains, and many more.
One of the main actor controlled sites is this research blog site that lured different researchers and installed malware on their devices.
Site: https://blog.br0vvnn[.]io ( note:- do not visit, if you want, visit at your own risk)
This opens a major threat among different companies, researchers, and the general public. Although the general public is not getting targeted currently, this doesn’t prove whether or not we will be targeted in near future. Or have we been targeted already? The potential of the Internet is major, and we have to take precautions with ourselves. Google suggests to other researchers that if they think they are being targeted, they should use a virtual machine for general web browsing and research papers.