North Korea hackers targeted security companies

In its first edition of new Threat Horizons report Google, among other detected cyber threats, mentioned state-sponsored North Korean hackers that employed a little plain tactic pretending to be Samsung recruiters. Threat actors made fake job offers to employees at South Korean security companies which sell anti-malware software.

Those fake emails apart from the text of the message itself contained a PDF attachment. However hackers malformed the PDFs so that it would not open in a standard PDF reader. In case the potential victim will complain that the file doesn’t open up, hackers would also provide them with an allegedly “Secure PDF Reader” app. The link redirected those unsuspecting to a file, modified version of PDFTron. Hackers specifically altered this pdf reader to install a backdoor trojan on the victim’s computers.

Codenamed “Zinc”, the same group conducted earlier attacks on security researchers

The Google Threat Analysis Group thinks that is the same hacker group who earlier targeted different security researchers mainly on Twitter and other social networks late 2020 and throughout 2021. Identified by Google under the codename “Zinc” they quite surprised the cyber security specialists with their tactics. According to the same report it is not the first time threat actors used a malformed pdf reader. Last year hackers tried to use the altered version of SumatraPDF to decrypt and drop an implant. They also added legitimate PE that were embedded within the viewer itself. Cyber security specialists note that they saw other threat groups recently using an alike technique of delivering a malicious PDF viewer to view malformed PDFs.

The report bases itself on the threat intelligence data from the Threat Analysis Group, Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. Google plans the other future threat intelligence reports that will cover trend tracking, threat horizon scanning and Early Warning announcements about emerging threats requiring immediate action.

North Korea hackers tried to target South Korean security companies
The New York Times once wrote an interesting article about North Korean cyber power

Besides the North Korean hacker group, the first edition of Threat Horizons reports also on BlackMatter signs of activity, fraudsters who use new TTP to abuse Cloud resources and Russian threat group APT28\ Fancy Bear launching Gmail phishing campaign. The report brought up the detected fact of compromised Google Cloud instances that threat actors used for cryptocurrency mining, too. For each case TAG provided possible risk mitigation solutions for the Google customers.

First edition of Google`s Threat Horizons covers significant amount of data

For each exploited vulnerabilities Threat Horizons provide percentage of instances that are the following:

  • Leaked credentials (4%);
  • Misconfiguration of Cloud instance or in third party software (12%);
  • Other unspecified issues (12%);
  • Vulnerability in third party software in the Cloud instance that was exploited (26%);
  • Weak or no password for user account or no authentication for APIs.
  • In most cases, threat actors tried to pump traffic to Youtube and obtain profit from cryptocurrency mining. For the resultant actions after compromise the percentage are next:

  • Send spam (2%);
  • Launch DDoS bot (2%);
  • Host unauthorized content on the Internet (4%);
  • Host malware (6%);
  • Launch attacks against other targets on the internet (8%);
  • Conduct port scanning of other targets on the internet (10%);
  • Conduct cryptocurrency mining (86%).
  • TAG also noted that totals do not add up to 100% as some compromised instances were used to perform multiple malicious activities.

    About Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Check Also

    Microsoft reports about malware detection in Ukrainian organizations

    Ukrainian organizations under malware attacks

    In their blog Microsoft reports about malware attacks that have recently defaced several Ukrainian government …

    Fraudsters create domains for trading stocks and cryptocurrencies

    Investment domains for trading fake stocks and cryptocurrencies

    At the beginning of 2021 experts from the CERT-GIB center saw a significant rise in …

    Leave a Reply