The findings come from Google’s Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like X (formerly Twitter) and Mastodon to forge relationships with potential targets and build trust.
“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” security researchers Clement Lecigne and Maddie Stone said. “After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire.”
The social engineering exercise ultimately paves the way for a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently in the process of being fixed.
The payload, for its part, performs a number of anti-virtual machine (VM) checks and transmits the collected information, along with a screenshot, back to an attacker-controlled server.
A search on X shows that the now-suspended account has been active since at least October 2022, with the actor releasing proof-of-concept (PoC) exploit code for high-severity privilege escalation flaws in the Windows Kernel such as CVE-2021-34514 and CVE-2022-21881.
This is not the first time North Korean actors have leveraged collaboration-themed lures to infect victims. In July 2023, GitHub disclosed details of an npm campaign in which adversaries tracked as TraderTraitor (aka Jade Sleet) used fake personas to target the cybersecurity sector, among others.
“After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents,” the Microsoft-owned company said at the time.
Google TAG said it also found a standalone Windows tool named “GetSymbol” developed by the attackers and hosted on GitHub as a potential secondary infection vector. It has been forked 23 times to date.
The rigged software, published on GitHub way back in September 2022 and now taken down, offers a means to “download debugging symbols from Microsoft, Google, Mozilla, and Citrix symbol servers for reverse engineers.”
But it also comes with the ability to download and execute arbitrary code from a command-and-control (C2) domain.
The disclosure comes as the AhnLab Security Emergency Response Center (ASEC) revealed that North Korean nation-state actor known as ScarCruft is leveraging LNK file lures in phishing emails to deliver a backdoor capable of harvesting sensitive data and executing malicious instructions.
It also follows new findings from Microsoft that “multiple North Korean threat actors have recently targeted the Russian government and defense industry – likely for intelligence collection – while simultaneously providing material support for Russia in its war on Ukraine.”
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
Achieved MFA? PAM? Service account protection? Find out how well-equipped your organization truly is against identity threats
The targeting of Russian defense companies was also highlighted by SentinelOne last month, which revealed that both Lazarus Group (aka Diamond Sleet or Labyrinth Chollima) and ScarCruft (aka Ricochet Chollima or Ruby Sleet) breached NPO Mashinostroyeniya, a Russian missile engineering firm, to facilitate intelligence gathering.
The two actors have also been observed infiltrating arms manufacturing companies based in Germany and Israel from November 2022 to January 2023, not to mention compromising an aerospace research institute in Russia as well as defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland since the start of the year.
“This suggests that the North Korean government is assigning multiple threat actor groups at once to meet high-priority collection requirements to improve the country’s military capabilities,” the tech giant said.
Earlier this week, the U.S. Federal Bureau of Investigation (FBI) implicated the Lazarus Group as behind the theft of 41 million in virtual currency from Stake.com, an online casino and betting platform.
It said that the stolen funds associated with the Ethereum, Binance Smart Chain (BSC), and Polygon networks from Stake.com have been moved to 33 different wallets on or about September 4, 2023.
“North Korean cyber threat actors pursue cyber operations aiming to (1) collect intelligence on the activities of the state’s perceived adversaries: South Korea, the United States, and Japan, (2) collect intelligence on other countries’ military capabilities to improve their own, and (3) collect cryptocurrency funds for the state,” Microsoft said.