A North Korean hacker group disguises itself as a fake security company and seeks contact with established security researchers to tap their knowledge in supposedly joint projects.
The Google Threat Analysis Group (TAG) has discovered a new tactic used by hackers. Threat
actors, allegedly sponsored by the state and backed by the North Korean ruling
party, have built a network of fake profiles on social media, including Twitter, Keybase and
LinkedIn.
"In
order to gain credibility and connect with security researchers, the actors set
up a research blog and several Twitter profiles to interact with potential
targets" said Google. "They
used these Twitter profiles to post links to their blog, post videos of their
alleged exploits, and to reinforce and retweet posts from other accounts they
control."
When
members of the group achieved their goals and gained a reputation in the security
community, they would ask if their intended victim would like to participate in
cybersecurity research - before sending them a malicious Visual Studio project
with a backdoor. Alternatively, they ask the researchers to visit a blog
that contains malicious code including browser exploits.
In
a March 31 update, TAG's Adam Weidemann stated that the state-sponsored group
has now changed their tactics by starting a fake, offensive security company,
complete with new social media profiles and a branded website.
The fake company, called "SecuriElite", was founded on March 17th as secure elite [.] Com. SecuriElite claims to be based in Turkey and offers
penetration testing, software security assessments and exploits.
Note: Always use authorised antivirus solution like Protegent Total Security to keep your data safe from online threats.
A
link to a PGP public key has been added to the website. While the
inclusion of PGP as an option for secure communication is standard, the group
has used these links in the past as a means to lure its targets to a page where
a browser-based exploit is waiting to be deployed.
In
addition, the SecuriElite “team” was equipped with a new set of fake social
media profiles. The threat actors pose as security researchers friends,
recruiters for cybersecurity companies and, in one case, as the HR manager of
“Trend Macro” - not to be confused with the reputable company Trend Micro.
The
Google team linked the North Korean group to using Internet Explorer Zero-Day
back in January. The company believes it is likely that they will have
access to additional exploits and will continue to use them against reputable
security researchers in the future.
"We
have reported all identified social media profiles to the platforms so that
they can take appropriate action," said Google. "At the time, we
didn't see the new attacker website offering malicious content, but we added it
to Google Safebrowsing as a precautionary measure."

No comments:
Post a Comment