Avraham wasn’t the only one who had this sort of conversation with the “Zhang Guo” Twitter account and its associated aliases, all of which are now suspended. Dozens of other security researchers—and possibly even more—in the United States, Europe, and China received similar messages in recent months. But as Google's Threat Analysis Group revealed Monday, those messages weren't from bug-hunting hobbyists at all. They were the work of hackers sent by the North Korean government, part of a sweeping campaign of social engineering attacks designed to compromise high-profile cybersecurity professionals and steal their research.
The attackers didn't limit themselves to Twitter. They set up identities across Telegram, Keybase, LinkedIn, and Discord as well, messaging established security researchers about potential collaborations. They built out a legitimate-looking blog complete with the kind of vulnerability analyses you'd find from a real firm. They had found a flaw in Microsoft Windows, they'd say, or Chrome, depending on the expertise of their target. They needed help figuring out if it was exploitable. It was all a front. Every exchange had a common goal: Get the victim to download malware masquerading as a research project, or click a link in a malware-laced blog post. Targeting security researchers was, as Google called it, a “novel social engineering method."
“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems,” TAG researcher Adam Weidemann wrote. “To date, we have only seen these actors targeting Windows systems as a part of this campaign.”The attackers primarily attempted to spread their malware by sharing Microsoft Visual Studio projects with targets. Visual Studio is a development tool for writing software; the attackers would send the exploit source code they claimed to be working on with malware as a stowaway. Once a victim downloaded and opened the tainted project, a malicious library would start communicating with the attackers' command and control server.
The malicious blog link provided a different potential avenue for infection. With one click, targets unknowingly triggered an exploit that gave attackers remote access to their device. Victims reported that they were running current versions of Windows 10 and Chrome, which indicates the hackers may have used an unknown, or zero-day, Chrome exploit to gain access. ZecOps’ Avraham says that while the hackers hadn't fooled him in their brief DM chat, he did click on a link in one of the attackers' blog posts that purported to show some research-related code. He did so from a dedicated and isolated Android device that he says doesn't seem to have been compromised. But the focus of the bogus blog's analysis raised red flags at the time. “I suspected once I saw the shellcode,” he says of the malware payload the attacker deployed in an attempted compromise. “It was a bit odd and cryptic."