A new report reveals that threat actors linked to North Korea have been using a zero-day bug in an unspecified software to compromise the computers of cybersecurity professionals. The alarming findings come from Google’s Threat Analysis Group (TAG), which detected the hackers employing social engineering tactics to establish trust with potential targets.
A Sophisticated Social Engineering Campaign by North Korean Hackers
The adversaries set up fake accounts on social media platforms like X (formerly known as Twitter) and Mastodon. These accounts were used to forge relationships with potential victims, sometimes engaging in months-long conversations. Security researchers Clement Lecigne and Maddie Stone reported, “After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire.”
North Korean Hackers Deploying the Malicious Payload
This elaborate exercise of social engineering ultimately led to the transmission of a malicious file, containing at least one zero-day vulnerability in a popular software package. This vulnerability is currently in the process of being fixed. Furthermore, the payload performs a number of anti-virtual machine (VM) checks and sends the collected data back to an attacker-controlled server.
Ongoing Activities
The now-suspended account on platform X has been active since at least October 2022, releasing proof-of-concept (PoC) exploit codes for high-severity privilege escalation flaws in Windows Kernel, such as CVE-2021-34514 and CVE-2022-21881.
Prior Incidents
This is not the first time North Korean Hackers have leveraged collaboration-themed strategies. In July 2023, GitHub disclosed an npm campaign wherein attackers used fake personas to target the cybersecurity sector. Google TAG also discovered a standalone Windows tool named “GetSymbol,” developed by the attackers and hosted on GitHub as a secondary infection vector.
Wider Implications
This cybersecurity threat comes at a time when the AhnLab Security Emergency Response Center (ASEC) disclosed that North Korean Hackers known as ScarCruft are using phishing emails to deliver backdoors capable of harvesting sensitive data. This threat also coincides with new findings from Microsoft that multiple North Korean actors have targeted Russian government and defense sectors.
A Multi-Faceted Threat
According to the U.S. Federal Bureau of Investigation (FBI), the Lazarus Group from North Korea was behind a $41 million theft in virtual currency from Stake.com, an online casino and betting platform, further emphasizing the multi-dimensional threats posed by North Korean cyber-actors.
In summary, these alarming incidents suggest that the North Korean government is using multiple threat actor groups to collect intelligence, improve military capabilities, and secure cryptocurrency funds for the state.