We take the same and start again. More than two years after exposing a malicious campaign by North Korea targeting security researchers, the Threat Analysis Group (TAG), Google’s security team specializing in hunting advanced persistent threat groups has just launched a new alert.
The new campaign is “probably carried out by the same actors”, with “similarities” to the previous malicious action. According to Google specialists, at least one zero-day vulnerability, those unknown flaws actively sought by attackers, has been used to target security researchers in recent weeks. As reported by Bleeping computer, it is likely that the end goal of the North Korean hackers was to take control of security vulnerabilities not yet disclosed.
Fake profiles
The targeted security researchers were first approached on the social network X (formerly Twitter). A screenshot shared by Google reveals one of the attackers’ handles: @Paul091_, whose profile picture depicts a cat profile on a branch, in front of threatening clouds, here claims to be a security researcher and software developer. GetSymbol.
The exchanges then moved to messaging applications, such as Signal, WhatsApp and Wire. Once the security researcher was trusted, the attackers would send a malicious file exploiting the mentioned vulnerability in an unspecified software package. This flaw is reportedly being corrected after being reported to the software publisher.
Backdoor to an open source tool
GetSymbol, the software mentioned by “Paul091_”, has also attracted the attention of Google experts. This open source tool for reverse engineering, whose source code was released in September 2022, is actually a kind of dangerous Trojan horse.
This potential secondary infection vector would indeed make it possible to execute code remotely from a domain controlled by an attacker. Google experts recommend that researchers who have installed this tool take precautions, for example by reinstalling their operating system.