Lazarus Group behind security researcher attacks

The recent hacking campaign targeting penetration testers, private offensive security researchers and other infosec workers was undertaken by the North Korean state-sponsored Lazarus Group, Microsoft's Threat Intelligence Centre said.

Microsoft tracks the threat actors as ZINC, and based on observed techniques, malware used in the attacks, and account affiliations, its security researchers have attributed the campaign with high confidence to the North Korean hackers.

Lazarus Group/ZINC has been active since at least 2009 and is thought to be behind many high-profile and destructive cyber attacks.

Hacks attributed to the North Korean group include the WannaCry malware campaign, the Sony Pictures Entertainment wiper attack, and theft of crypto currencies from exchanges.

The recent attacks on security researchers used social engineering and deception, and were first reported by Google's Threat Analysis Group.

On top of adding an unknown zero-day vulnerability that works against the fully-patched Google Chrome web browser on a blog to plant malware, the threat actors also sent researchers malicious Visual Studio projects with malware as prebuilt binaries.

These included the Comebacker dynamic link library (DLL) which attempts to perform privilege escalation for processes, and the Klackring DLL that registers malicious services on target machines, Microsoft said.

Other malware used by the Lazarus Group/ZINC included a booby-trapped MHTML web archive with obfuscated JavaScript that attempted to fetch an unknown payload, a Windows driver to modify kernel code, and a Chrome password stealer.

Like Google TAG, Microsoft suggests that security professionals use isolated environments for handling untrusted files and links.

Those who have visited the malicious blog - br0vvn dot io - should immediately run a full anti-malware scan.

If any malware related to the above is found, people should assume a full compromise of their systems and rebuild them, Microsoft said.

Any information on affected compromised machines such a security research may have been compromised in the attacks.