In recent developments, a North Korean state-sponsored cyberattack campaign that was reportedly attacking security researchers has resurfaced with novel strategies and tricks up their sleeve.

Faking websites and social media accounts:

According to Google’s Threat Analysis Group,  the malicious actors who were responsible for the cyberattack campaign have established fraud or phony cybersecurity firm named SecuriElite as well as a multitude of fake Twitter and LinkedIn profiles.

This subsequently leads unsuspecting security researchers to visit the fake website, essentially booby-trapping them where a browser exploit waits to be triggered. 

Analysis of the setup website disclosed that the cyberattack campaign deployed company claims to be a cybersecurity firm based in Turkey that provides security services such as pen testing, software security assessments, and exploits, etc. 

Apparently, the website went online on March 17 and established authenticity by linking to the fake Twitter and LinkedIn accounts.

Eight Twitter profiles and seven LinkedIn profiles, pretending to be security researchers and human resources personnel at established organizations were set up with a few others posing as the chief executive officer and employees at the fake company. All the accounts have since been suspended from the social media platforms.

Cyberattack campaign discoveries:

Initially,  the cyberattack campaign was flagged by TAG as a consequence of a linked malicious actor making up a fake research blog and multiple accounts on multiple social media platforms such as Twitter, Linked In, Telegram, Discord, and Keybase to connect with the researchers and build trust.

A Windows backdoor would then be deployed via a trojanized Visual Studio Project. 

Subsequently, after noting the aforementioned backdoor cyberattack campaign, a South Korean security firm ENKI disclosed an Internet Explorer zero-day vulnerability that facilitated malicious actors to access devices managed by the security team with malicious MHTML files.

Even though the fake website hasn’t been found to deploy any malicious content yet, Following the revelations and developments, Google has posted this website’s URL in its Safebrowsing blocklist service to mitigate any risks.

This event sheds light on the fact that hackers and malicious actors are getting increasingly adept at deploying updated and well-prepared cyberattack campaigns even in the presence of security measures and cyber- protected environment.