A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack.
Google’s Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company’s booby-trapped website “where a browser exploit was waiting to be triggered.”
Eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms were created for this purpose, with a few others posing as the chief executive officer and employees at the fictitious company. All the accounts have since been suspended.
The campaign was initially flagged by TAG in January 2021, when it came to light that the adversary had created a research blog and multiple profiles on various social media platforms such as Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust, only to deploy a Windows backdoor that came in the form of a trojanized Visual Studio Project.
Researchers from South Korean cybersecurity firm ENKI revealed a zero-day in Internet Explorer that it said allowed the hackers to access the devices managed by its security team with malicious MHTML files. Microsoft later addressed the issue in its Patch Tuesday update for March 2021.
Google has added the website’s URL to its Safebrowsing blocklist service to prevent accidental visits, even though the site hasn’t been found to serve any malicious content.
The real motive behind the attacks remains unclear as yet, although it’s being suspected that the threat actor may be attempting to stealthily gain a foothold on systems in order to get hold of zero-day research, and in the process, use those unpatched vulnerabilities to stage further attacks on vulnerable targets of their choice.