The campaign includes setting up social media presence and fake research blogs.

Fremont, CA: An ongoing campaign choreographed by state-backed North Korean cyber criminals has been attacking security researchers examining vulnerabilities. Particular researchers are being attacked by a social engineering method and lured into downloading an ill-disposed payload. These exercises involve creating a reliable social media presence, creating a fabricated safety blog, and then summoning legitimate security researchers to contribute as guests.

The North Korean hackers first ascertained a security research blog and multiple Twitter profiles to communicate with possible victims. They have been employing these fake profiles to post links to fake research material, releasing videos of claimed exploits, and expanding the reach of other accounts they control. After ascertaining communication with their targets, the hackers would question the researcher whether they wanted to partner on vulnerability research collectively. They would then present the researcher with a Visual Studio Project.

This file would contain source code for exploiting the vulnerability, that would be executed through Visual Studio Build Events. This malware would instantly commence communicating with the North Korean command and control server when activated. Google’s researchers also discovered evidence of researchers being contaminated with malware after visiting fake security research websites. Shortly after clicking the link, a malicious setting will be installed on the researcher’s system, and an in-memory backdoor commences conversing with the command and control server.

The Threat Analysis Group advocated that the anxious security researchers being targeted should employ separate physical or virtual machines (VMs) for usual web browsing, communicating with other researchers, and accepting files from third-parties.