Security researchers are North Korea's latest malware targets
posted Sunday Mar 12, 2023 by Scott Ertz
The one constant rule of the internet is: scammers and hackers are everywhere and no one is safe. But, with that law of reality, you must protect yourself. We see scammers sending out phishing emails, stealing your clipboard, and even matching on dating sites. This week, professional hackers from North Korea have aimed at those who help us know these attacks exist.
Security researchers at risk
Security researchers at security firm Mandiant have announced that they have identified a targeted effort to attack security researchers. This attack is coming from threat actors tied directly to the government of North Korea. This is not the first time that North Korean hackers have targeted researchers, but this campaign has a new angle.
The last big campaign was identified by Google's TAG (Threat Analysis Group) in 2021. The campaign revolved around a fake company (SecuriElite) offering security services to researchers. They would reach out via Twitter and LinkedIn offering services. When PGP security keys were exchanged, malware was attached infecting the recipient. From there, the hackers had access to the researcher's computer.
The new tactics
This time, they have altered the tactic. Rather than just a fake company offering services, this time they switched to recruitment. Lots of organizations need professional security researchers, including media organizations, and this was the plan.
The hackers, dubbed UNC2970, would create fake LinkedIn profiles attached to legitimate organizations. They would report as HR recruiters for The New York Times, for example, and reach out to researchers on LinkedIn. They would start a conversation about joining the organization and would then try to move the conversation to another platform. This is always a red flag - especially if the target destination is WhatsApp. If they wouldn't go for that, the hackers would also offer email as a choice.
The actual attack comes after the recruiter becomes comfortable with the conversation. The hacker will offer a job and send an offer letter or an assessment test. The letter looks completely legitimate, fully branded and all. But, the content is irrelevant - the Word document contains a macro that downloads the malicious payload from a remote server. With that, the computer is infected and under North Korea's control. The full details are impressive in depth,
The ZIP file delivered by UNC2970 contained what the victim thought was a skills assessment test for a job application. In reality, the ZIP contained an ISO file, which included a trojanized version of TightVNC that Mandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application which, along with the other files, are named appropriately to the company the victim had planned to take the assessment for.
In addition to functioning as a legitimate TightVNC viewer, LIDSHIFT contained multiple hidden features. The first was that upon execution by the user, the malware would send a beacon back to its hardcoded C2; the only interaction this needed from the user was the launching of the program. This lack of interaction differs from what MSTIC observed in their recent blog post. The initial C2 beacon from LIDSHIFT contains the victim's initial username and hostname.
LIDSHIFT's second capability is to reflectively inject an encrypted DLL into memory. The injected DLL is a trojanized Notepad++ plugin that functions as a downloader, which Mandiant tracks as LIDSHOT. LIDSHOT is injected as soon as the victim opens the drop down inside of the TightVNC Viewer application. LIDSHOT has two primary functions: system enumeration and downloading and executing shellcode from the C2.
This is a scary development for this particular group. Taking on security researchers is a big task, as they are the ones who let us know these attacks are happening. Hopefully the attacks haven't been successful, but if they have been, it proves that no one is safe.
