Google’s Threat Analysis Group has flagged an ongoing campaign targeting security researchers, alleging that a government-backed entity based in North Korea is abusing social media to send malware.
According to a blog post by the Threat Analysis Group’s Adam Weidermann, the entity is allegedly using a combination of social media, Visual Studio Projects containing malware and compromised blogs to target systems running Windows.
In a move labelled by Weidermann as “a novel social engineering method”, the actors have been communicating with specific security researchers through a number of different forms of communication over several months, with Twitter, LinkedIn, Telegram, Discord, Keybase and email identified as touchpoints for the method.
Through these, he said the actors would ask if the researchers wanted to collaborate with them on vulnerability research via a Visual Studio Project.
"Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Weidermann said. “The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
The campaign has relied on a network of Twitter profiles and a blog, with actor-controlled accounts posting links to blog posts containing analysis of publicly disclosed vulnerabilities and “guest” posts from alleged unwitting legitimate security researchers, along with video footage of supposedly newly-discovered security exploits.
Other actor-controlled Twitter profiles would then retweet this information, amplifying the blog posts and videos.
While not all claims of the exploits were verified by the Threat Analysis Group, the Google blog post claimed there was at least one instance of a YouTube video showing an exploit being faked.
The video contained supposed footage of an exploit of CVE-2021-1647, but comments posted to the video identified the exploit as fake. Following the comments, another actor-controlled Twitter account retweeted the original post and added “I think this is not a fake video”.
Some of the researchers were also compromised through the blogs themselves, with those affected having services installed on their systems that would allow an in-memory backdoor to beacon to an actor-owned command and control server.
The mechanics behind the blog compromise is unknown, but Weidermann said that the Group would welcome any information on the topic.
“If you are concerned that you are being targeted, we recommend that you compartmentalise your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” he added.