Researchers from Google’s Threat Analysis Group (TAG) reported that North Korea-linked hackers are targeting security researchers via social media.
The cyberspies used fake Twitter and LinkedIn social media accounts to get in contact with the victims. Experts identified two accounts impersonating recruiters for antivirus and security companies. Social media profiles were quickly removed after Google reported them to the respective platforms.
Google researchers discovered that threat actors also created a website for a fake cybersecurity firm named SecuriElite offering offensive security services, including pentests, security assessments, and exploits.
Experts noticed that the website used in this campaign has a link to a PGP public key which is the same that was found on attackers’ blog in a campaign spotted in January.
“On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”” reads the post published by Google TAG.
“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits. Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.
Unlike January campaign, the website of SecuriElite site wasn’t yet to host malicious exploits to deliver malware.
In January the attackers employed an Internet Explorer 0-day vulnerability in their attacks, but TAG researchers believe that these actors likely have more 0-days exploits in their code.
“At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution,” Threat Analysis Group’s researchers conclude. “Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days.
In January, researchers from Microsoft and Google monitored a cyber espionage campaign aimed at vulnerability researchers and attributed the attacks to North Korea-linked Zinc APT group.
The hackers employed a custom backdoor to compromise the systems of the vulnerability researchers.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, North Korea)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Researchers from Google’s Threat Analysis Group (TAG) reported that North Korea-linked hackers are targeting security researchers via social media.
The cyberspies used fake Twitter and LinkedIn social media accounts to get in contact with the victims. Experts identified two accounts impersonating recruiters for antivirus and security companies. Social media profiles were quickly removed after Google reported them to the respective platforms.
Google researchers discovered that threat actors also created a website for a fake cybersecurity firm named SecuriElite offering offensive security services, including pentests, security assessments, and exploits.
Experts noticed that the website used in this campaign has a link to a PGP public key which is the same that was found on attackers’ blog in a campaign spotted in January.
“On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”” reads the post published by Google TAG.
“The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits. Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.
Unlike January campaign, the website of SecuriElite site wasn’t yet to host malicious exploits to deliver malware.
In January the attackers employed an Internet Explorer 0-day vulnerability in their attacks, but TAG researchers believe that these actors likely have more 0-days exploits in their code.
“At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution,” Threat Analysis Group’s researchers conclude. “Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days.
In January, researchers from Microsoft and Google monitored a cyber espionage campaign aimed at vulnerability researchers and attributed the attacks to North Korea-linked Zinc APT group.
The hackers employed a custom backdoor to compromise the systems of the vulnerability researchers.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, North Korea)