Hackers Create Fake Cybersecurity Company to Exploit Security Experts

A renewed campaign backed by the North Korean government is targeting cybersecurity researchers through sophisticated social engineering tactics involving malware. This resurgence was detailed in a recent report from Google’s Threat Analysis Group (TAG).

According to TAG, the attackers established a fictitious security firm named SecuriElite and created multiple social media profiles on platforms such as Twitter and LinkedIn. The goal of this operation is to lure unsuspecting cybersecurity professionals to a compromised website where a browser exploit is primed for activation.

Describing the masquerade, TAG analyst Adam Weidemann noted that the fraudulent website positions SecuriElite as an offensive security company based in Turkey. It purportedly offers penetration testing, software security evaluations, and exploitation services. This site went live on March 17.

The attackers set up eight Twitter accounts and seven LinkedIn profiles impersonating vulnerability researchers and HR personnel from various security firms, with some accounts even posing as executives of the imaginary company. All these accounts have now been suspended.

In response to this threat, Google has added the fraudulent website to its Safebrowsing blocklist service to prevent users from inadvertently visiting the site, which, despite not yet hosting confirmed malicious content, poses risks based on its design.

This campaign echoes earlier tactics identified by TAG in January 2021, where similar methods were used to create a network of research blogs and social media profiles aimed at establishing rapport with researchers before deploying malware, specifically a Windows backdoor disguised as a trojanized Visual Studio Project.

After previous incidents, researchers from a South Korean cybersecurity firm, ENKI, disclosed a zero-day vulnerability in Internet Explorer that facilitated these attackers in accessing managed devices through malicious MHTML files, which Microsoft subsequently addressed in its March 2021 security updates.

This latest development underscores the adaptability of threat actors as they evolve their strategies in response to heightened scrutiny. Though the precise intent behind these ongoing attacks remains ambiguous, there is a growing suspicion that the adversaries aim to discreetly establish persistent access to systems. This would potentially allow them to exploit zero-day vulnerabilities and subsequently launch further attacks against chosen targets.