North Korea infected infosec bods with backdoors via dodgy blog pages, Visual Studio files – Google

Security eggheads discover their PCs chatting with Kim Jong Un's hackers

North Korea's hackers homed in on specific infosec researchers and infected their systems with a backdoor after luring them to a suspicious website, Google revealed on Monday.

The internet giant's Threat Analysis Group said Pyongyang's snoops would send private messages to their targets – primarily folks investigating software security vulnerabilities – via Twitter, LinkedIn, Telegram, Discord, Keybase or plain ol' email, and try to lure the marks to a blog promising details of exploitable bugs.

However, after surfing to that website, the researchers discovered malware had been injected into their PCs and was running stealthily in the background. It's assumed the webpage was able to exploit one or more zero-day holes in the victims' browsers and systems to achieve this, though the exact methods are not fully known right now. How Google got wind of this ongoing operation is not clear either, though we could hazard a guess.

"The researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server," said Googler Adam Weidemann.

"At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have."

A kid holding a wad of cash

Stuck inside with time on your hands? The US govt would like to remind you it's paying $5m for Nork hacking scalps


Researchers would also be offered Visual Studio projects said to contain exploit code. These files included a DLL, run via Visual Studio Build Events, that connected to a remote server to fetch its masterminds' instructions to carry out.

This was a long-con. Over several months, Kim Jong Un's spies set up a plausible-looking blog covering security vulnerabilities, along with multiple social media accounts, and even recruited unwitting legitimate security researchers to guest post on the site.

It wasn't a perfect operation, though. On January 14, the operators posted on YouTube how they exploited Windows Defender vulnerability CVE-2021-1647, though the attempt was obviously faked. The team used another social media account to defend the video when people called them out on it.

The attacks are attributed to North Korea by Google, and the Chocolate Factory has posted a full list of dodgy online accounts and profiles, domains, and file paths associated with the campaign in its report, linked above, if you want to go through your logs and inboxes for signs of suspicious activity.

Whoever was behind it, they were, we guess, looking to glean new and valuable vulnerabilities and other intelligence from their targets' private research. Now it's the case that if anyone can figure out how the North Koreans got into their victims' PCs, there's a pretty penny to be made with those exploits – preferably by getting the flaw fixed via a Google bug bounty.

"If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research," Weidemann concluded. ®

Similar topics

Broader topics

Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022