Probable DPRK Nexus Actors Targeting Security Researchers

January 27, 2021January 27, 2021 Jason cyber espionage, lazarus group, manuscrypt, north korean malware, spearphishing

Yesterday, Google’s Threat Analysis Group (TAG) published a blog post identifying an ongoing campaign targeting security researchers working on vulnerability research and development. This activity was attributed to a North Korea nexus threat group. According to TAG, the threat group took its time building credibility with security researchers by creating a blog where the actors published analysis of publicly disclosed vulnerabilities. Further, the actors involved created multiple Twitter, Linkedin, Telegram, Discord, Keybase, and email accounts posing as security researchers. These accounts were used to tweet links to the blog, retweet accounts the threat actors controlled, and interact with the online information security community. This online activity resulted in the actors developing a list of targets and credibility building with the community, culminating in guest posts from legitimate security researchers on the threat actors’ blog.

Path to Compromise

The path to compromise for this campaign consisted of two methods. First, the threat actors tweeted links to a blog post which hosted a drive-by compromise infecting the target’s machine. To date, all of the compromised researchers were running up to date Windows 10 and Chrome browser versions, and the zero-day exploit used by the actors is not known at this time. Second, the actors capitalized on their built credibility by reaching out to researchers to ask if they would like to collaborate on vulnerability research. The targets were then given a Visual Studio Project, which included the exploit code for the vulnerability in question along with a malicious library functioning as a Command and Control (C2) beacon. Google is requesting any assistance in identifying the zero-day exploit used by the actors via its Vulnerability Reward Program.

Hey folks, story time. A guy going by the name James Willy approached me about help with a 0-day. After providing a writeup on root cause analysis I realized the visual studio project he gave me was backdoored.
— Alejandro Caceres (@_hyp3ri0n) January 26, 2021

Attribution

Attribution for this campaign was initially provided by Google, though we do not know what evidence drove this conclusion. However, Kaspersky’s Threat Attribution Engine has identified code similarities from the recent samples with the Manuscrypt malware family. Intezer Labs has published similar findings.

KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. "Manuscrypt" (also known as FALLCHILL) is typically used by the Lazarus APT. 👉 pic.twitter.com/hXxuJIj9Lc
— Costin Raiu (@craiu) January 26, 2021

Samples from a recent @Google report about NK campaign targeting security researchers (including 0day vulnerabilities) share code with previous FALLCHILL samples 🇰🇵https://t.co/31gST672QN pic.twitter.com/Tn84N8VWcH
— Intezer (@IntezerLabs) January 26, 2021

Manuscrypt has been distributed by the Lazarus Group since at least 2018, and has primarily been observed in campaigns targeting South Korean political targets as well as cryptocurrency exchanges. Last Spring, CISA released a Malware Analysis Report identifying samples associated with Lazarus Group activity, including the 2018 global data reconnaissance campaign attributed to the threat actor. Additionally, Lazarus Group has targeted researchers previously. In 2019, the threat actor targeted individuals associated with US-based think tanks and universities working on North Korea denuclearization research.

Conclusion

North Korean threat actors have become increasingly sophisticated over the last five years, and will likely be included in more organization’s threat models over the next five years. These threat actors have used cyber attacks — like the Sony Pictures attack and attack on South Korean ATMs — for coercive purposes and to steal from financial institutions and cryptocurrency exchanges. Recently, North Korean actors have been branching out into cyber-espionage to gain an understanding of their adversaries’ denuclearization assessments, to steal COVID-19 vaccine related information, and gain information about researchers working the North Korea target. Expect more activity from North Korea nexus actors if US-DPRK relations remain at an impasse.