Google’s Threat Analysis Group (TAG) says North Korean state hackers are again targeting security researchers in attacks using at least one zero-day in an undisclosed popular software.

Researchers attacked in this campaign are involved in vulnerability research and development, according to Google’s team of security experts that protects the company’s users from state-sponsored attacks.

Google has yet to disclose details on the zero-day flaw exploited in these attacks and the name of the vulnerable software, likely because the vendor is still in the process of patching the vulnerability.

“TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks,” Google TAG’s Clement Lecigne and Maddie Stone said.

“The vulnerability has been reported to the affected vendor and is in the process of being patched.”

Mastodon and Twitter used to contact targets

The attackers use Twitter and Mastodon social media to lure targeted security researchers into switching to encrypted messaging platforms like Signal, Wire, or WhatsApp.

After establishing a relationship and moving to secure communication channels, the attackers send them malicious files designed to exploit the zero-day.

The shellcode payload deployed on the researchers’ systems checks if it runs in a virtual machine and then sends collected information (including screenshots) to the attackers’ command and control servers.

They also use the open-source GetSymbol tool for reverse engineers that should only help download Microsoft, Google, Mozilla, and Citrix debugging symbols but, instead, also allows downloading and executing arbitrary code.

“If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system,” Lecigne and Stone warned.

Under attack since at least January 2021

This campaign is similar to a previous one exposed in January 2021 that also used Twitter and other social media platforms like LinkedIn, Telegram, Discord, and Keybase as the initial contact vector, presumably orchestrated by the same actors.

In these attacks, the North Korean threat actors also used zero-days to infect security researchers’ fully patched Windows 10 systems with backdoors and info-stealing malware.

Microsoft also reported tracking the January 2021 attacks and seeing Lazarus Group operators infecting researchers’ devices using MHTML files with malicious JavaScript code.

In March 2021, Google TAG revealed the attacks picked up again, targeting security researchers using fake LinkedIn and Twitter social media accounts and a fake company named SecuriElite.

Earlier this year, in March, Mandiant also picked up on and exposed a suspected North Korean hacking group attacking security researchers and media organizations in the United States and Europe using fake job offers to infect them with new malware.

Although Google has not explicitly outlined the objectives of these attacks, their primary goal appears to be the acquisition of undisclosed security vulnerabilities and exploits by targeting specific researchers.