Skip to main content

New campaign targeting security researchers

Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.

In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.

A screenshot of 4 actor controlled Twitter profiles: @z0x55g, @james0x40, @br0vvnn and @BrownSec3Labs

Actor controlled Twitter profiles.

Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.

A screenshot from the actors' blog of an analysis done by the actor about a publicly disclosed vulnerability.

Example of an analysis done by the actor about a publicly disclosed vulnerability.

While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video.”

Tweets demonstrating the actors “exploits”

Tweets demonstrating the actors' “exploits”

Security researcher targeting

The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.

Visual Studio Build Events command executed when building the provided VS Project files

Visual Studio Build Events command executed when building the provided VS Project files

In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.

These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. We are providing a list of known accounts and aliases below. If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided below. To date, we have only seen these actors targeting Windows systems as a part of this campaign.

If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.

Actor controlled sites and accounts

Research Blog
  • https://blog.br0vvnn[.]io
Twitter Accounts
  • https://twitter.com/br0vvnn
  • https://twitter.com/BrownSec3Labs
  • https://twitter.com/dev0exp
  • https://twitter.com/djokovic808
  • https://twitter.com/henya290 
  • https://twitter.com/james0x40
  • https://twitter.com/m5t0r
  • https://twitter.com/mvp4p3r
  • https://twitter.com/tjrim91
  • https://twitter.com/z0x55g
LinkedIn Accounts
  • https://ift.tt/2YgkQ2A
  • https://ift.tt/39fXf8A
  • https://ift.tt/39juA2G
  • https://ift.tt/3phFefS
  • https://ift.tt/39i2W5T
Keybase
  • https://ift.tt/2Nw0b8B
Telegram
  • https://t.me/james50d
Sample Hashes
  • https://ift.tt/2Nw0ccF (VS Project DLL)
  • https://ift.tt/3pmO8c2 (VS Project DLL)
  • https://ift.tt/2Yb4t7E (VS Project Dropped DLL)
  • https://ift.tt/3plcuTj (VS Project Dropped DLL)
  • https://ift.tt/3ccGQDY (Service DLL)
C2 Domains: Attacker-Owned
  • angeldonationblog[.]com
  • codevexillium[.]org
  • investbooking[.]de
  • krakenfolio[.]com
  • opsonew3org[.]sg
  • transferwiser[.]io
  • transplugin[.]io
C2 Domains: Legitimate but Compromised
  • trophylab[.]com
  • www.colasprint[.]com
  • www.dronerc[.]it
  • www.edujikim[.]com
  • www.fabioluciani[.]com
C2 URLs
  • https[:]//angeldonationblog[.]com/image/upload/upload.php
  • https[:]//codevexillium[.]org/image/download/download.asp
  • https[:]//investbooking[.]de/upload/upload.asp
  • https[:]//transplugin[.]io/upload/upload.asp
  • https[:]//www.dronerc[.]it/forum/uploads/index.php
  • https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php
  • https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php
  • https[:]//www.edujikim[.]com/intro/blue/insert.asp
  • https[:]//www.fabioluciani[.]com/es/include/include.asp
  • http[:]//trophylab[.]com/notice/images/renewal/upload.asp
  • http[:]//www.colasprint[.]com/_vti_log/upload.asp

Host IOCs

  • Registry Keys

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig

    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update 

  • File Paths

    • C:\Windows\System32\Nwsapagent.sys

    • C:\Windows\System32\helpsvc.sys

    • C:\ProgramData\USOShared\uso.bin

    • C:\ProgramData\VMware\vmnat-update.bin

    • C:\ProgramData\VirtualBox\update.bin


by Adam WeidemannThreat Analysis Group via The Keyword

Comments

Post a Comment

Popular posts from this blog

certain keys on my keyboard dont work when "cold"

Hi guys, i have a Lenovo Y520-15IKBN (80WK) and certain keys on the keyboard don't work (e,g,h,8,9,Fn...) but only when the weather is cold. for example in the winter it used to work after certain amount of time when i first boot the laptop and stops working when i stop using it for a while, but now that the weather is hot it works just fine except for the first couple of minutes or when its colder. of course i do realise that it has nothing to do with the outside weather but with the temperature of the computer itself. can someone explain to me why this is happening and how it should be fixed as i cannot take it to the tech service until july even though it's still under warranty because i need it for school. ps: an external keyboard works fine. Submitted April 29, 2018 at 03:35PM by AMmej https://ift.tt/2KiQg05
Post a Comment
Read more

Old PC with a Foxconn n15235 motherboard needs drivers! Help!!

So my Pc corrupted and I had to fresh install windows on it, but now its missing 3 drivers and one of them is for the Ethernet controller! I've tried searching everywhere for the windows 7 drivers but all I seem to find are some dodgey programs saying they will install it for me. Problem is without the ethernet driver I can't bloody connect to the internet. I've been using a USB to try get some drivers on there, but they just end up being useless programmes . I'm also a bit of a noob at these things, I don't understand where to find the names of things in my PC, I've opened it up but I don't understand whats significant and what isnt. If someone has the drivers and can teach me how to install them I'd be very appreciative! Submitted April 29, 2018 at 02:47PM by darrilsteady https://ift.tt/2r76xMZ
Post a Comment
Read more