Google’s threat hunting unit has again intercepted an active North Korean APT actor sliding into the DMs of security researchers and using zero-days and rigged software tools to take control of their computers. Google’s Threat Analysis Group (TAG) recently reported the government-backed hacking team’s social media accounts and warned that at least one actively exploited zero-day is being used and is currently unpatched.[1]
See: https://redskyalliance.org/xindustry/no-good-deed-goes-unpunished
Using platforms like X (the successor to Twitter) as their initial point of contact, the North Korean threat actor cunningly forged relationships with targeted researchers through prolonged interactions and discussions. “In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package,” a Google spokesman explained.
Google investigators did not identify the vulnerable software package. They said the zero-day exploit was used to plant shellcode that conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. “The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits,” researchers noted that the security defect has been reported to the affected vendor and is in the process of being patched.
North Korean hackers have been involved in a broad scheme to steal money from banks and conduct cyberattacks targeting the entertainment industry. The hackers have used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance and to steal information useful for North Korea's nuclear and ballistic missile programs. The FBI has blamed North Korean hackers for stealing over $600 million in cryptocurrency from a video gaming company. The North Korean hackers are known as the Lazarus Group, and little is known about them.[2]
See: https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/rigged-software-and-zero-days-north-korean-apt-caught-hacking-security-researchers/
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
Comments