The attackers are using social media, fake research blogs and Web sites to pose as legitimate researchers. They either infect browsers via their sites and blogs or they share Visual Studio projects containing malware to gain a foothold, targeting Windows systems. The aim, as supposed by Microsoft, is to steal security researcher information.
Google described how malware infections occurred after researchers visited one of the group’s blogs. It’s unclear to Google how the malware took hold, so an apparent “zero-day” vulnerability may be involved.
Here’s Google’s description of the incident:
At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have.
Microsoft’s announcement, which referred to the attack group as “ZINC,” contains additional information about how the group used Visual Studio project files to drop a malicious dynamic link library file on the victim’s system. The malware dropped was identified as “Comebacker,” and it was used to create a command and control center on the victim’s system. The attackers typically shared these Visual Studio project files with the researchers who had gained their trust.
The attack campaign can be detected using the Microsoft Defender for Endpoint service, Microsoft indicated.
Both Google and Microsoft provided a list of the attacker’s sites, personas and Twitter handles, warning researchers if they had interacted with them. They also listed various indicators of compromise.
Google recommended that researchers use a virtual machine to protect against such attacks:
If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.
Microsoft suggested that security researchers should scan for the malware and other indicators of compromise associated with the attackers, which would indicate “full compromise” if found:
If you visited the referenced ZINC-owned blog (br0vvnn[.]io), you should immediately run a full antimalware scan and use the provided IOCs to check your systems for intrusion. If a scan or searching for the IOCs find any related malware on your systems, you should assume full compromise and rebuild.
The notion that the attackers worked for North Korea is “based on observed tradecraft, infrastructure, malware patterns, and account affiliations,” Microsoft indicated.