Cybercrooks posing as cybersecurity researchers… targeting cybersecurity researchers
“In January, the Threat Analysis Group documented a hacking campaign, which we were able to attribute to a North Korean government-backed entity, targeting security researchers. On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite,”Adam Weidemann from Google’s Threat Analysis Group wrote in an article detailing the attacks.
In other words, the same campaign, initially detected in the beginning of 2021, is now active again, using a research blog website and several social media profiles. More particularly, the cybercriminals set up eight Twitter and seven LinkedIn profiles, supposedly belonging to vulnerability researchers and HR specialists at several security firms, such as Trend Micro.
They used the profiles to post links to the website, “posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control”. The research blog contained write-ups and analysis of publicly disclosed vulnerabilities, also featuring guest posts from “unwitting legitimate security researchers.” All these efforts were likely done to create credibility in front of the cybersecurity community.
Specific security researchers targeted
It turns out that specific researchers were targeted. The novel social engineering tricks were used to establish communications and ask the targeted expert if they wanted to collaborate on vulnerability research. Once the researcher agreed, the cybercriminals would provide them with a Visual Studio Project which contained the source code for exploiting the particular flaw. An additional DLL file was also included which had to be executed through Visual Studio Build Events.
“The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below,” the initial report detailing the attack explained.
The currently active site is presented as an offensive security company situated in Turkey. The company supposedly offers pen testing, software security assessment, and exploits.
The website features a link to the attackers’ PGP public key, as seen in their previous sites. The created social media profiles “continue the trend of posting as fellow security researchers interested in exploitation and offensive security,” the report said.
This website hasn’t been detected serving malicious content yet. However, the Threat Analysis Group added it to Google Safebrowsing as a precautionary measure. “Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days,” the researchers concluded.
In another recent attack, software developers were targeted by specifically created malware. The trojanized Xcode project was targeting iOS developers. The project was a malicious version of a legitimate, open-source project available on GitHub, enabling iOS programmers to use several advanced features for animating the iOS Tab bar.