After establishing a connection with the targeted researcher, the threat actors sent a malicious file that included at least one zero-day in a widely used software package Google refrained from naming in the notification.
Once the exploitation is successful, the shellcode performs a series of anti-virtual machine checks to send collected information and screenshots back to an attacker-controlled C2 domain.
The attack has a secondary infection vector
Apart from the zero-day exploits, the threat actors also plant a standalone Windows tool they developed to download debugging symbols, and critical program metadata from Microsoft, Google, Mozilla, and Citrix symbol servers.
“On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources,” TAG said. “The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since.”
Symbol servers provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research. The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain, TAG added.