According to Google's Threat Analysis Group (TAG), the campaign shares similarities with previous North Korean hacking efforts aimed at infiltrating security professionals to steal data and insights.
As outlined by TAG, the attackers initiate contact with researchers through social media platforms, like X (formerly Twitter) to build rapport over weeks or months. After developing a relationship, the hackers distribute documents containing at least one zero-day exploit through encrypted messaging apps.
"They carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire.
Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package." - wrote Google's Threat Analysis Group (TAG)
If successful, the zero-day exploit installs sophisticated malware capable of performing anti-virtualization checks before exfiltrating system data and screenshots to attacker-controlled servers.
TAG notes the malware shares coding similarities with previous North Korean exploits.
In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of 'download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers.'
According to Google TAG, the source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since. On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research.
GetSymbol Project interface |
The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain.
If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system.
Google's Threat Analysis Group has reported the zero-day vulnerabilities to affected vendors, and vendors are currently working on patches. Once available, TAG will release further technical details following its disclosure policies.
In the meantime, indicators of compromise have been added to Google's Safe Browsing service to prevent further potential infections. Targeted individuals have also been notified.
The report provides concerning evidence that skilled, well-resourced nation-state hackers are actively targeting the security research community using clandestine and highly dynamic tradecraft.
Organizations should alert security teams to bolster defenses and carefully scrutinize incoming communications purporting to be from fellow researchers. TAG's disclosure aims to make the community aware of the ongoing activities so defensive capabilities can be evaluated and enhanced across the ecosystem.