The attackers chose an unusual but reliable weapon-zero day in popular software.
Google's threat Analysis Group (TAG) reports that North Korean state hackers are targeting cybersecurity researchers. The attacks are carried out using at least one zero-day vulnerability in unnamed popular software.
Google has not yet disclosed details about day zero and the name of the affected software. This is probably due to the fact that the manufacturer is still in the process of fixing the vulnerability.
Attackers use the social networks X (Twitter) and Mastodon to lure victims into encrypted messengers such as Signal, Wire or WhatsApp. After establishing relationships and switching to secure communication channels, attackers send malicious files designed for zero-day exploitation to victims.
The shellcode uploaded to the researchers 'systems checks whether it is running in the VM, and then sends the collected information (including screenshots) to the attackers' command and control servers (C2 server). It also uses the open-source getSymbol tool, which, in addition to its basic functions, allows you to load and execute arbitrary code.
Although Google does not disclose the explicit targets of the attacks, their main task is to exploit unpublished vulnerabilities and exploits by targeting specific researchers. Experts recommend that anyone who has downloaded or run the getSymbol tool should take precautions to ensure the security of their systems.
Google's threat Analysis Group (TAG) reports that North Korean state hackers are targeting cybersecurity researchers. The attacks are carried out using at least one zero-day vulnerability in unnamed popular software.
Google has not yet disclosed details about day zero and the name of the affected software. This is probably due to the fact that the manufacturer is still in the process of fixing the vulnerability.
Attackers use the social networks X (Twitter) and Mastodon to lure victims into encrypted messengers such as Signal, Wire or WhatsApp. After establishing relationships and switching to secure communication channels, attackers send malicious files designed for zero-day exploitation to victims.
The shellcode uploaded to the researchers 'systems checks whether it is running in the VM, and then sends the collected information (including screenshots) to the attackers' command and control servers (C2 server). It also uses the open-source getSymbol tool, which, in addition to its basic functions, allows you to load and execute arbitrary code.
Although Google does not disclose the explicit targets of the attacks, their main task is to exploit unpublished vulnerabilities and exploits by targeting specific researchers. Experts recommend that anyone who has downloaded or run the getSymbol tool should take precautions to ensure the security of their systems.
