Government-backed threat actors are using zero-day exploits to infect security researchers and exfiltrate critical vulnerability information. Credit: Shutterstock A campaign by government-backed actors in North Korea is believed to be using zero-day exploits to target security researchers working on vulnerability research and development. Google's threat analysis group (TAG) said it has been tracking the campaign since January 2021 and has found a zero-day exploit being used recently in the campaign. "TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks," said the threat-hunting arm of Google. "The vulnerability has been reported to the affected vendor and is in the process of being patched." TAG has released an early notification to warn security researchers of its initial findings and says that it continues to analyze the DPRK-backed campaign. The campaign targets security researchers North Korean threat actors used media sites like X (formerly Twitter) to build rapport with their targets, according to TAG. "In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest," TAG said. "After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire." After establishing a connection with the targeted researcher, the threat actors sent a malicious file that included at least one zero-day in a widely used software package Google refrained from naming in the notification. Once the exploitation is successful, the shellcode performs a series of anti-virtual machine checks to send collected information and screenshots back to an attacker-controlled C2 domain. The attack has a secondary infection vector Apart from the zero-day exploits, the threat actors also plant a standalone Windows tool they developed to download debugging symbols, and critical program metadata from Microsoft, Google, Mozilla, and Citrix symbol servers. "On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources," TAG said. "The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since." Symbol servers provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research. The tool also has the ability to download and execute arbitrary code from an attacker-controlled domain, TAG added. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe