A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack.
In an update shared on Wednesday, Google’s Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company’s booby-trapped website “where a browser exploit was waiting to be triggered.”
“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits,” TAG’s Adam Weidemann said. The website is said to have gone live on March 17.
A total of eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms (including Trend Macro, inspired by Trend Micro), were created for this purpose, with a few others posing as the chief executive officer and employees at the fictitious company. All the accounts have since been suspended.
The campaign was initially flagged by TAG in January 2021, when it came to light that the adversary had created a research blog and multiple profiles on various social media platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust, only to deploy a Windows backdoor that came in the form of a trojanized Visual Studio Project.
Following the disclosure, researchers from South Korean cybersecurity firm ENKI revealed a zero-day in Internet Explorer that it said allowed the hackers to access the devices managed by its security team with malicious MHTML files. Microsoft later addressed the issue in its Patch Tuesday update for March 2021.
As a precaution, Google has added the website’s URL to its Safebrowsing blocklist service to prevent accidental visits, even though the site hasn’t been found to serve any malicious content.
If anything, the latest development is yet another example of attackers quickly shifting gears when their methods are discovered and exposed publicly.
The real motive behind the attacks remains unclear as yet, although it’s being suspected that the threat actor may be attempting to stealthily gain a foothold on systems in order to get hold of zero-day research, and in the process, use those unpatched vulnerabilities to stage further attacks on vulnerable targets of their choice.