A campaign by government-backed actors in North Korea is believed to be using zero-day exploits to target security researchers working on vulnerability research and development.
Google’s threat analysis group (TAG) said it has been tracking the campaign since January 2021 and has found a zero-day exploit being used recently in the campaign.
“TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks,” said the threat-hunting arm of Google. “The vulnerability has been reported to the affected vendor and is in the process of being patched.”
TAG has released an early notification to warn security researchers of its initial findings and says that it continues to analyze the DPRK-backed campaign.
The campaign targets security researchers
North Korean threat actors used media sites like X (formerly Twitter) to build rapport with their targets, according to TAG.
“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” TAG said. “After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire.”
After establishing a connection with the targeted researcher, the threat actors sent a malicious file that included at least one zero-day in a widely used software package Google refrained from naming in the notification.
Once the exploitation is successful, the shellcode performs a series of anti-virtual machine checks to send collected information and screenshots back to an attacker-controlled C2 domain.
The attack has a secondary infection vector
Apart from the zero-day exploits, the threat actors also plant a standalone Windows tool they developed to download debugging symbols, and critical program metadata from Microsoft, Google, Mozilla, and Citrix symbol servers.
“On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources,” TAG said. “The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since.”
Symbol servers provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research. The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain, TAG added.