Google has disclosed details of a long campaign by North Korean threat actors, using zero-day vulnerabilities to attack security researchers.
The Google Threat Analysis Group (TAG) publication said the ongoing campaign first emerged in January 2021.
The current zero-day being used by the threat actors was discovered in the past few weeks, TAG said, adding it has been reported to the unnamed vendor, and is “in the process of being patched”.
TAG said the attackers took a long view: they would strike up conversations with security researchers on social media sites “to build rapport with their targets”, before asking to shift conversations to encrypted messaging apps under the guise of collaborating on “topics of mutual interest”.
In one case, TAG said, the attacker spent months cultivating their target.
The next phase of the attack was to send the security researcher a malicious file “that contained at least one 0-day in a popular software package.”
A second tool was presented as a Windows application that “download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers”, using a project called GetSymbol published at GitHub in September 2022.
While Symbols are “helpful when debugging software issues or while conducting vulnerability research”, this package “has the ability to download and execute arbitrary code from an attacker-controlled domain”, TAG said.
It advised anyone using the software to run a clean installation of their operating system.
The TAG post includes a full list of attacker-controlled domains, including GetSymbol, command-and-control, X accounts (@Paul091_), a Wire account (@Paul354), and a Mastadon account (@paul091_).
