North Korean Cybercriminals Exploit Zero-Day Vulnerability Targeting Cybersecurity Experts

September 8, 2023

North Korean cybercriminals have been exploiting a zero-day vulnerability in an unspecified software to infiltrate cybersecurity experts' systems, according to Google's Threat Analysis Group (TAG). The hackers have been creating fake social media accounts to build relationships with potential targets, leading to the delivery of a malicious file containing the zero-day vulnerability.

The hackers initiated conversations with potential targets, attempting to collaborate on topics of mutual interest. After establishing contact, they would move the conversation to encrypted messaging apps such as Signal, WhatsApp, or Wire. This social engineering exercise ultimately led to the delivery of a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently being patched.

The payload performs a number of anti-virtual machine (VM) checks and sends the collected information, along with a screenshot, back to an attacker-controlled server. The hackers have been active since at least October 2022, releasing proof-of-concept (PoC) exploit code for high-severity privilege escalation flaws in the Windows Kernel such as CVE-2021-34514 and CVE-2022-21881.

In July 2023, GitHub reported an npm campaign where adversaries known as TraderTraitor used fake personas to target the cybersecurity sector. After establishing contact with a target, the threat actor would invite the target to collaborate on a GitHub repository and convince the target to clone and execute its contents. Google TAG also found a standalone Windows tool named 'GetSymbol' developed by the attackers and hosted on GitHub as a potential secondary infection vector.

North Korean nation-state actor known as ScarCruft is leveraging LNK file lures in phishing emails to deliver a backdoor capable of harvesting sensitive data and executing malicious instructions. Microsoft has also reported that multiple North Korean threat actors have recently targeted the Russian government and defense industry for intelligence collection.

North Korean threat groups Lazarus Group and ScarCruft breached a Russian missile engineering firm, NPO Mashinostroyeniya, to facilitate intelligence gathering. They have also infiltrated arms manufacturing companies in Germany and Israel, and defense companies in Brazil, Czechia, Finland, Italy, Norway, and Poland.

The U.S. Federal Bureau of Investigation (FBI) implicated the Lazarus Group in the theft of 41 million in virtual currency from Stake.com, an online casino and betting platform. The stolen funds have been moved to 33 different wallets. 'North Korean cyber threat actors pursue cyber operations aiming to collect intelligence on the activities of the state's perceived adversaries: South Korea, the United States, and Japan, collect intelligence on other countries' military capabilities to improve their own, and collect cryptocurrency funds for the state,' Microsoft stated.

Latest News

• Ransomware Gangs Exploit Cisco VPN Zero-Day Vulnerability
• Apple Patches Zero-Days Actively Exploited to Deliver Pegasus Spyware
• HPE OneView Software Plagued by Three Major Security Vulnerabilities
• Iranian Hackers Exploit Zoho and Fortinet Vulnerabilities to Breach US Aviation Organization
• Critical Authentication Bypass Vulnerability Found in Cisco BroadWorks