North Korean APT Attacks Security Researchers in Social Media 2022

["info () vulnerability-lab com" <info () vulnerability-lab com>]

Hallo Security Researchers,

our independent vulnerability laboratory team would like to inform the 
public security research community & whitehats about an incident with 
the north korean apt targeting security researchers.

Due to today a new campagne started by the north korean apt in 
connection to some indian affiliates. The campagne targets only security 
researchers in social media. In the most cases the researcher receives a 
request and then a private message or the message is directly send to 
his managing pages multiple times.

In the message is the following text included:

------------------------
--- English Version
I am a criminal data collection company representing Chinese law 
enforcement agencies. These fraudulent sites are deceiving many people 
in China. I need to bring the data to China to sue the site owner. 
Chinese law enforcement agencies have no law enforcement powers where 
the servers of this website are located. Therefore, we can only turn to 
foreign hackers for help at a high cost.

Crack the database management authority of the website and download me 
all the data in the database. You will receive the payment in USDT after 
I receive the data verification.

--- German Version
Ich bin ein kriminelles Datenerfassungsunternehmen, das chinesische 
Strafverfolgungsbehörden vertritt.
Diese betrügerischen Seiten täuschen viele Menschen in China. Ich muss 
die Daten nach China bringen, um den Website-Eigentümer zu verklagen.
 Chinesische Strafverfolgungsbehörden haben dort, wo sich die Server 
dieser Website befinden, keine Strafverfolgungsbefugnisse.
Daher können wir uns nur zu hohen Kosten an ausländische Hacker wenden, 
um Hilfe zu erhalten.

Knacken Sie die Datenbankverwaltungsautorität der Website und laden Sie 
mir alle Daten in der Datenbank herunter.
Sie erhalten die Zahlung in USDT, nachdem ich die Datenüberprüfung 
erhalten habe.
------------------------

1：30,000 USDT
https://gec.green-entrepreneurship.cc/login_zh.html?0.8208984571383173
username：15289618853
password：qq308830


2：30,000 USDT
https://www.cegdex.com/downloadMobile.html
username：asdfhuhu
password：asdfhuhu
transaction password：852369
Phone number：+12098746325
SMS verification code platform：https://mianfeijiema.com/sms/12098746325


3：40,000 USDT
http://ahcprotect.com
username：DD3645450
password：333333

http://www.ahcgoods.com
username：DD1357619
password：333333


4:200,000 USDT
https://www.youlucky.biz/

------------------------

After that text the apt lists in the message all targets they want to 
infiltrate or heist. The main target are the olympia service of a 
provider. the second targets are financial motivated in connection with 
sms verification bypass. This is mainly used to heist crypto currency or 
finanial platforms.

The impact of the attack doesn't show yet what are there targets because 
this is high espionage tactic. The apt searched for pro hackers and 
researcher with high level of reputation on social media.

1. The attackers want to compromise the researcher by extortion or ident 
compromise

2. The attackers want that the hackers and researcher community to 
attack the targets listed below without any purpose as a service. Means 
you just do they just informed you to high up traffic or to hide there 
traces.

3. They are really asking for this service to receive access to olympia 
service data or to financial services they already gained access and 
need to bypass specific mechanism like sms verification.

The motivation and the impact of the attack is not clearly visible ... 
we would like to inform everybody about it via mailing list to be aware 
about the north korean apt.

Risks that come along with the attack:
Phishing (Links, Sites & Emails)
Downgrade Attacks (Redirect & SSL Downgrade)
Malware Infection (2021 Q1 NET DLL Malware)
Identity Compromise (2021 Security Researchers)
Exploit Development (2021 Chrome Scenario)
Attacks against 3rd Party Service (Chain Exploitation)

Pictures:
https://ibb.co/1ffY1vb
https://ibb.co/9cmhD3z
https://ibb.co/3YVmMXX
https://ibb.co/m6s4R2G
https://ibb.co/XJSsWDG
https://ibb.co/JcDTDZ7

--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/