A Cautionary Tale: North Korean Campaign Targets Security Researchers

A new campaign targeting security researchers began in late 2020.

Specifically aimed at researchers specializing in analyzing and investigating vulnerabilities, the attackers pose as legitimate security researchers and share a sample of an exploit that contains a malicious custom backdoor with the intent of exfiltrating information about undisclosed vulnerabilities.

The Google Threat Analysis Group (TAG) have attributed this campaign to a state sponsored North Korean entity. The entity may be affiliated with the Lazarus Group APT. A user who went by the handle Br0vvnn on now-suspended Twitter and Github accounts and the security blog, Br0vvnn[.]io are a known vector in the campaign according to Google.

It’s easy to say security researchers should know better, but attackers of all levels use social engineering in most attack chains at some point for the simple reason that it works – over and over. This campaign is a blunt reminder that vigilance is required at all times by everyone, regardless of training, experience or role in the organization. This is especially true in times of intense workloads and external stress factors, such as those created by the pandemic.

What Is It?

This social engineering campaign targets security researchers specializing in analyzing and investigating vulnerabilities to deliver and install a custom malicious backdoor.

The actors behind this campaign appear to take advantage of some key characteristics of the security research community.  Security researchers:

  • Often collaborate with peers, frequently building on exploit discoveries made by others in the field
  • Have diverse backgrounds, skills, and levels of situational awareness. There are highly experienced and well-trained professional researchers, those new to the industry and amateur hobbyists – who may perform research merely for the challenge or in hopes of making it a full-time career
  • Are geographically dispersed and even pre-COVID, most interactions outside of conferences were via email, social media, forums and other electronic forms of communication.

Credibility is the currency of the security industry. Through training and hard earned, real world experience, security professionals learn to be paranoid, but they can still be vulnerable.

In this campaign, the actors seek to establish their credibility as legitimate security researchers by creating a number of Twitter and LinkedIn accounts and a research blog. They also post videos of alleged exploits they discovered and cross post links from their various accounts, trying to add veracity to the posts. Their blog contains vulnerability analysis of public exploits and posts copied from legitimate researchers, again all intended to make them appear to be genuine peers of the researchers they target.

The campaign begins by attempting to make contact with researchers via Twitter or LinkedIn direct messages. The Cisco threat intelligence team (Talos) have detailed an exchange with one of their researchers who was contacted in this campaign. After initial pleasantries, the actor asked if they researched vulnerabilities and if not, did they know someone who did. When the Talos researchers advised they did not, the attacker politely ended the conversation.

The founder of Hyperion Gray, Alejandro Caceres, described how he was taken in by the campaign. A broker of vulnerabilities he had previously dealt with and trusted introduced him to a new researcher in a three-way group chat. This new researcher, “James Willy”, sent a Visual Studio project he stated demonstrated a new zero-day vulnerability. Because he was introduced to James by a known associate, Caceres reviewed the code and executed it, which did in fact appear to be a genuine, if somewhat basic, zero-day. Unknown to Caceres, the Visual Studio project contained an additional DLL file which was executed by compiling the Visual Studio project. This DLL file is a malicious custom backdoor. The attacker’s intent appears to be to gain access to researchers’ systems to potentially obtain any research and exploits for as yet undisclosed vulnerabilities.

A review of the code of the malicious DLL shows that it is not particularly sophisticated. For example, the file properties show the file claims to be a legitimate Microsoft Windows component, which is a very basic attempt at obfuscation. In this campaign the actors put their effort into creating a social engineering driven infection vector, delivering a relatively unsophisticated malicious payload.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector, based around social engineering, is discussed in detail above.

When/How Did BluVector Detect It?

Five samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 58 months prior to their release.

All Threat Reports