Google’s Threat Analysis Group (TAG) tracked the threat campaign. Microsoft now tracks the US same.
What has been discovered?
Zinc, a North-Korea based group of hackers, has been observed targeting security researchers working on vulnerability research and development. The attack campaign has been focused on pentesters, offensive security researchers, and security firm employees.
- Zinc started building its reputation in the security research community by retweeting high-quality security content and posting about exploit research on Twitter.
- The threat actors would then amplify these tweets using additional sock-puppet Twitter accounts under their control. This tactic allowed the group to earn a prominent security researcher’s title.
- The attacker would contact targeted researchers to work together on vulnerability and exploit research. Whoever agrees, receives a Visual Studio project with malicious DLL that executes when the project is compiled.
- This DLL can lead to the installation of a backdoor threat that would allow the attackers to obtain information, executing commands on a computer, and hands-on-keyboard action.
Additional attack vectors
- The malicious Visual Studio project, the threat actors were observed to be sharing a link to a blog post on their website that included an exploit kit using 0-day or patch gap exploits.
- They tried to exploit the CVE-2017-16238 vulnerability in a driver for the antivirus product identified as Vir.IT eXplorer and using a Chrome password stealer to gather information.
Since the discovery of SolarWinds attacks and other recent attacks on security agencies, it seems that security researchers and professionals have become a hot target for cyberattacks across the globe. Thus, experts suggest researchers separate their research activities from general web browsing, interacting with others in the research community, and accepting files from third