New Malware Campaign Targeting Security Researchers Who is Working in Vulnerability Research

The Threat Analysis Group has recently detected an ongoing campaign targeting the security researchers who are working on vulnerability analysis and development at separate companies and organizations. 

According to the Google report, this campaign was well organized across various online platforms, that includes drive-by browser accommodations from booby-trapped websites. In the report, Google affirmed that North Korean hackers utilized multiple profiles on different social networks to reach out to several security researchers using fake people accounts via Twitter, Linked In, Telegram, Discord, and Keybase.

A New Mysterious Browser Attack also Discovered

In order to target users through social engineering, the cybersecurity researchers have also observed numerous cases where the experts have been compromising after visiting the actors’ blog.

Google asserted that the blog treated malicious code that affected all the security researcher’s computer after obtaining the site. However, a malicious service was inaugurated on the researcher’s system, and an in-memory backdoor would begin beaconing to an actor who owned a command and control server.

But, Google TAG also appended that many victims who entered the site were also operating “fully patched and up-to-date Windows 10 and Chrome browser versions” and still got affected.

Sites and Accounts Controlled by The Threat Actors 

Research Blog

  • https://blog.br0vvnn[.]io

Twitter Accounts

  • https://twitter.com/br0vvnn
  • https://twitter.com/BrownSec3Labs
  • https://twitter.com/dev0exp
  • https://twitter.com/djokovic808
  • https://twitter.com/henya290 
  • https://twitter.com/james0x40
  • https://twitter.com/m5t0r
  • https://twitter.com/mvp4p3r
  • https://twitter.com/tjrim91
  • https://twitter.com/z0x55g

LinkedIn Accounts

  • https://www.linkedin.com/in/billy-brown-a6678b1b8/
  • https://www.linkedin.com/in/guo-zhang-b152721bb/
  • https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
  • https://www.linkedin.com/in/linshuang-li-aa696391bb/
  • https://www.linkedin.com/in/rimmer-trajan-2806b21bb/

Keybase

  • https://keybase.io/zhangguo

Telegram

  • https://t.me/james50d

C2 Domains: Attacker-Owned

  • angeldonationblog[.]com
  • codevexillium[.]org
  • investbooking[.]de
  • krakenfolio[.]com
  • opsonew3org[.]sg
  • transferwiser[.]io
  • transplugin[.]io

C2 Domains: Legitimate but Compromised

  • trophylab[.]com
  • www.colasprint[.]com
  • www.dronerc[.]it
  • www.edujikim[.]com
  • www.fabioluciani[.]com

Here’s the major reason for attacking the security experts or researchers is pretty clear; as it could enable the North Korean hacking groups to steal exploits for the vulnerabilities that are detected by the infected researchers, vulnerabilities that the threat group could extend in its own attacks with limited to no development costs.

However, there are several security researchers who have already published on social media that they obtained messages from the attackers’ accounts, although none have confessed to having systems compromised.

While Google asserted that if you are worried that you are being targeted, then they have recommended that you compartmentalize your research exercises using separate physical or virtual machines for extensive web browsing, communicating with others in the research community, receiving files from third parties, and your security research.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.