In its first edition of new Threat Horizons report Google, among other detected cyber threats, mentioned state-sponsored North Korean hackers that employed a little plain tactic pretending to be Samsung recruiters. Threat actors made fake job offers to employees at South Korean security companies which sell anti-malware software.
Those fake emails apart from the text of the message itself contained a PDF attachment. However hackers malformed the PDFs so that it would not open in a standard PDF reader. In case the potential victim will complain that the file doesn’t open up, hackers would also provide them with an allegedly “Secure PDF Reader” app. The link redirected those unsuspecting to a file, modified version of PDFTron. Hackers specifically altered this pdf reader to install a backdoor trojan on the victim’s computers.
Codenamed “Zinc”, the same group conducted earlier attacks on security researchers
The Google Threat Analysis Group thinks that is the same hacker group who earlier targeted different security researchers mainly on Twitter and other social networks late 2020 and throughout 2021. Identified by Google under the codename “Zinc” they quite surprised the cyber security specialists with their tactics. According to the same report it is not the first time threat actors used a malformed pdf reader. Last year hackers tried to use the altered version of SumatraPDF to decrypt and drop an implant. They also added legitimate PE that were embedded within the viewer itself. Cyber security specialists note that they saw other threat groups recently using an alike technique of delivering a malicious PDF viewer to view malformed PDFs.
The report bases itself on the threat intelligence data from the Threat Analysis Group, Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. Google plans the other future threat intelligence reports that will cover trend tracking, threat horizon scanning and Early Warning announcements about emerging threats requiring immediate action.
Besides the North Korean hacker group, the first edition of Threat Horizons reports also on BlackMatter signs of activity, fraudsters who use new TTP to abuse Cloud resources and Russian threat group APT28\ Fancy Bear launching Gmail phishing campaign. The report brought up the detected fact of compromised Google Cloud instances that threat actors used for cryptocurrency mining, too. For each case TAG provided possible risk mitigation solutions for the Google customers.
First edition of Google`s Threat Horizons covers significant amount of data
For each exploited vulnerabilities Threat Horizons provide percentage of instances that are the following:
In most cases, threat actors tried to pump traffic to Youtube and obtain profit from cryptocurrency mining. For the resultant actions after compromise the percentage are next:
TAG also noted that totals do not add up to 100% as some compromised instances were used to perform multiple malicious activities.