Full Report
Threat Analysis Group shares findings on a new campaign by North Korean actors targeting security researchers.
Analysis Summary
# Threat Actor: North Korean Threat Actors (Government-Backed)
## Attribution & Identity
Attributed to government-backed actors originating from North Korea. Previously reported in January 2021 by Google’s Threat Analysis Group (TAG).
## Activity Summary
The actors are engaged in targeted campaigns against **security researchers** working on vulnerability research and development. A recent campaign, similar to the 2021 disclosure, involved exploiting at least one actively used 0-day vulnerability in popular software packages. In a parallel activity, the actors also developed and distributed a seemingly benign Windows tool named "GetSymbol" designed for downloading debugging symbols, which contained functionality to download and execute arbitrary code from attacker-controlled domains.
## Tactics, Techniques & Procedures
- **Initial Access:** Social engineering via social media (X/Twitter) to build rapport, followed by moving conversations to encrypted messaging apps (Signal, WhatsApp, Wire).
- **Exploitation:** Delivering a malicious file containing at least one 0-day exploit.
- **Execution/C2:** Upon exploitation, the planted shellcode executes anti-virtual machine checks.
- **Exfiltration:** Collection of system information, including a screenshot, and exfiltration to an attacker-controlled command and control domain.
- **Tool Development (Secondary Vector):** Development of a standalone Windows utility ("GetSymbol") disguised as a symbol downloader, capable of remote code execution.
- **TTP Similarity:** The shellcode used is constructed in a similar manner to previous North Korean exploits.
## Targeting
- Sectors: **Security Researchers** (those involved in vulnerability research and development).
- Geography: Targeted globally, implying reach across typical online communication channels used by researchers.
- Victims: Security researchers engaged in vulnerability research. A specific patch was issued on September 12, 2023, for the exploited vulnerability.
## Tools & Infrastructure
- **Malware families used:** Custom Shellcode embedded within exploited software.
- **Secondary Tool:** "GetSymbol" (a Windows tool for debugging symbols, with hidden remote code execution capability).
- **Infrastructure (C2):** Attacker-controlled command and control domains for communication and exfiltration.
## Implications
This demonstrates continued, sophisticated targeting by North Korean entities specifically aimed at compromising the research community, likely to gain advance knowledge of vulnerabilities before they are disclosed or patched, or to compromise the researchers themselves. The use of 0-days highlights their commitment to high-impact, stealthy initial access methods. The distribution of a legitimate-looking utility ("GetSymbol") shows an attempt to broaden their access methods beyond direct zero-day exploitation.
## Mitigations
- Security researchers must remain highly vigilant regarding communication, even after months-long, seemingly collaborative interactions on platforms like X/Twitter.
- Exercise extreme caution when accepting files or engaging in collaboration that moves to end-to-end encrypted messaging apps.
- Ensure all software packages, especially those frequently used for research, are immediately updated upon patch release (the exploited vulnerability was patched around September 12, 2023).
- System integrity check: If the standalone "GetSymbol" tool has been downloaded or run, a full system reinstallation/reimage is recommended to ensure a clean state, as mandated by TAG advice.
- Enable Enhanced Safe Browsing protections if using Google services (Gmail, Chrome).