North Korea has a notorious reputation for launching cyberattacks against various countries and organizations. But did you know that they are also targeting the cybersecurity community itself? That’s right, North Korean hackers have been using a zero-day exploit in an unspecified software package to compromise the machines of security researchers.
The hackers use social media platforms like X (formerly Twitter) and Mastodon to establish contact with security researchers and pretend to collaborate with them on topics of mutual interest. After building trust, they send a malicious file that contains the exploit and infects the researcher’s computer.
The malware performs various checks to avoid detection by antivirus software and virtual machines, and then sends back information and screenshots to the attacker-controlled server. The hackers also use a fake tool called “GetSymbol” that claims to download debugging symbols from various sources, but actually downloads and executes arbitrary code from a command-and-control domain.
This is not the first time that North Korean hackers have targeted security researchers. In January 2021, Google TAG reported that the same threat actor had used fake personas and blogs to lure researchers into visiting malicious websites that exploited a zero-day vulnerability in Internet Explorer (CVE-2021-0678). In March 2021, Mandiant reported that another North Korean group, known as ScarCruft, had used phishing emails with LNK file lures to deliver a backdoor (CVE-2022-0609) to security researchers.
North Korean hackers are motivated by various goals, such as collecting intelligence on their adversaries, improving their own military capabilities, and obtaining cryptocurrency funds for the state. Microsoft recently revealed that multiple North Korean threat actors have also targeted the Russian government and defense industry.
Stay safe and vigilant!