Twitter suspends accounts used to catfish security researchers

Twitter suspends accounts used to catfish security researchers

It is not enough that we, the internet users, are careful with our activities online. We should be extra careful –– if it helps then employ all precautionary measures to keep your devices, accounts, and activities online safe and secure.

Twitter, a popular social media platform, has suspended two accounts, @lagal1990 and @shiftrows13. These accounts are specifically used to deceive security researchers into downloading malware in a long-running cyber-espionage campaign credited to North Korea.

Related: Over 50K warnings were sent out to government-backed hacks, says Google

Initially, the campaign was first discovered by Google’s Threat Analysis Group (TAG) in January and is still ongoing. Finally, on Friday, TAG analyst Adam Weidermann confirmed that Twitter has shuttered the aforementioned two accounts as part of the operation.

This is not the first that Twitter has suspended accounts connected to the espionage campaign. In fact, this is the second time that the platform has taken action against the issue linked to the Democratic People’s Republic of Korea (DPRK) –– the first one was back in August.


“We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year,” Weidermann said. “In the case of @lagal1990, they renamed a GitHub account previously owned by another of their Twitter profiles that was shut down in Aug, @mavillon1.”

According to Weidermann’s January analysis, the malicious actors create a “research” blog and used the Twitter profiles to distribute links in order to get potential targets aka the victims.

Also, they used the accounts to post videos of purported exploits and to increase and retweet posts from other Twitter accounts that they own and control.

Two accounts were already shut down by Twitter

Now, the ongoing campaign targets security researchers using the thing that they care most dearly –– bugs and research. Weidermann detailed that both Twitter accounts had posed as security researchers, “leaning on the hype of 0 days to gain followers and build credibility.”

Also read: Google fights off zero-day vulnerability in new Chrome update

Google’s TAG traced the threat actors behind the campaign to a government entity that is based in North Korea. It has also been identified what analysts call a “novel” social-engineering tactic that these actors are using to target specific security researchers through collaboration.

“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Weidermann added.

Little did they know that the project is poisoned, “within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Weidermann continued. “The DLL is custom malware that would immediately begin communicating with actor-controlled [command-and-control, or C2] domains.”

Google TAG provided the screen capture below, which shows an example of the VS Build Event.

Visual Studio Build Events. Source: Google TAG

Many security researchers fall victim to the campaign. Below, a security researcher took it to Twitter to detail what happened when he decided to collaborate and described what happened next.

The malicious actors look to be credible security researchers in their own right, having posted videos of exploits that they have worked on. This also includes faking the success of the exploit they have worked on.

Attacks don’t stand a chance on up-to-date systems

If you want to get protected by these kinds of campaigns, up-to-date systems will do the work for you. It has been found out that security researchers who have been victimized weren’t running on the most latest version of their operating system.

Weidermann said in January, “at the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.”

This goes to show that the threat actors were using zero days.

Related: Google alerts users of four high-level vulnerabilities, urges them to update Chrome now

And sure enough, after Google TAG first discovered the campaign, South Korean security researchers found out that the threat actors are exploiting an Internet Explorer zero-day.

More tech news:

Leave a Reply

Your email address will not be published.