Google says state-sponsored North Korean hackers are once again trying to target security researchers, this time with a new zero-day exploit that can spy on a victim’s computer.
The suspected North Korean hackers have been doing so by using Twitter and Mastodon social media accounts to build a “rapport with their targets,” Google warned in a blog post on Thursday.
“In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest,” the company said. “After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire.”
(Google)The North Korean hackers then sent a file to the security researcher that was actually a malicious software package that exploited at least one unpatched vulnerability, also known as a zero-day exploit. The attack worked by first checking to see if the security researcher’s computer had installed any antivirus software. It then proceeded to collect information, including grabbing a screenshot, which was then sent to a hacker-controlled internet domain.
Google didn’t supply details to the vulnerability, such as the software it attacked. But the company has already reported the flaw to the vendor, which is already in the process of patching the flaw. “Once patched, we will release additional technical details and analysis of the exploits,” Google added.
The attack represents the latest campaign from the North Korean hackers, which have been targeting the IT security community with the same tactics since at least 2021 by pretending to be security researchers themselves. In this new campaign, Google says the North Korean actors also published a free debugging tool called “GetSymbol Project” on Github to trick security researchers into downloading it. In reality, the tool has “the ability to download and execute arbitrary code from an attacker-controlled domain,” meaning it can secretly infect a PC with malware.
(dbgsymbol[.]com)“If you have downloaded or run this tool, TAG (Google's Threat Analysis Group) recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system,” the company went on to warn.
To protect users, the company says the Chrome browser will start flagging the sites used in the North Korean hacking campaign as dangerous. Both Twitter and Mastodon have also taken down the user accounts the hackers controlled to phish the security researchers.
"We hope this post will remind security researchers that they could be targets of government backed attackers and to stay vigilant of security practices,” Google added.