-
A program that automates the APT38 technique, which has been utilized to target cybersecurity researchers experts
-
Lazarus is a state-sponsored group affiliated with North Korea, has a well-documented track record of targeting cybersecurity researchers. Among their notable techniques, one stands out for its effectiveness in tricking numerous cybersecurity experts.
-
The attackers create multiple Twitter and other social media accounts to establish credibility. Through social engineering tactics, they manipulate security researchers into engaging in collaborative research using a Microsoft Visual Studio Project, the project contains a malicious code in the vcxproj file. Consequently, when the researcher attempts to build the project, the malicious code embedded within it is executed.
This analysis is based on information shared by both Google Threat Analysis Group and a security researcher Joel Eriksson who documented their experience with this attack. Their tweet highlighted effective protection measures:
- Create believable security researcher personas on social platforms and Build trust through technical conversations
- Target actual security researchers through direct messages and Offer collaboration on "proof of concept" projects
- Send encrypted ZIP files containing Visual Studio projects and claim the projects demonstrate interesting vulnerabilities Mention encryption to appear security-conscious
Use small file sizes (452.13KB) to seem like legitimate code projects
Hide malicious PowerShell commands within Visual Studio project files the powerShell commands execute with bypassed execution policy and hidden windows Include OS checks that verify:
- Windows 10 is running (osversion.version.major -eq 10)
- System is 64-bit (is64bitoperatingsystem)
- A specific path exists (Test-Path x64\Debug\Browse.VC.db)
Key technique: Use rundll32 to load malicious code from a file disguised as a Visual Studio database file and call a specific exported function ENGINE_get_RAND with two parameters: A 16-character string that appears to be a key/identifier: 6bt7cJNGEb3Bx9yK A numeric value: 2907
- Upon execution within the Visual Studio projects directory, the program infects all vcxproj files by injecting custom code. This code is designed to execute when the individual attempts to build the project .
An attacker sends a malicious Visual Studio project to a developer, the developer opens the project, appearing to be a legitimate code sample, Upon first build, the program infects ALL Visual Studio projects on the developer's system
The infected developer continues normal work, modifying and sharing projects with colleagues and each shared project carries the infection to new developer machines and when colleagues open and build these projects, their environments become infected the infection continues to spread across the development team
In a successful campaign, this will create a catastrophic compromise of the entire development ecosystem .
