Now, Microsoft has confirmed that it was also tracking the DPRK hacking team, revealed in a recently published report.

Microsoft Tracking North Korean Hacking Group

In a report posted on the Microsoft Security blog, the Microsoft Threat Intelligence Team details its knowledge of the DPRK-linked hacking group. Microsoft tracks the hacking group as “ZINC,” while other security researchers are opting for the more well-known name of “Lazarus.”

Both the Google and Microsoft reports explain that the ongoing campaign uses social media to begin normal conversations with security researchers before sending them files containing a backdoor.

The hacking team runs several Twitter accounts (along with LinkedIn, Telegram, Keybase, Discord, and other platforms), which have been slowly posting legitimate security news, building a reputation as a trusted source. After a period, the actor-controlled accounts would reach out to security researchers, asking them specific questions about their research.

If the security researcher responded, the hacking group would attempt to move the conversation onto a different platform, such as Discord or emails.

Once the new communication method is established, the threat-actor would send a compromised Visual Studio project hoping the security researcher would run the code without analyzing the contents.

The North Korean hacking team had gone to great lengths to disguise the malicious file within the Visual Studio project, swapping out a standard database file for a malicious DLL, along with other obfuscation methods.

According to the Google report on the campaign, the malicious backdoor isn’t the only attack method.

Microsoft believes that “a Chrome browser exploit was likely hosted on the blog,” although this is not yet verified by either research team. Adding to this, both Microsoft and Google believe a zero-day exploit was used to complete this attack vector.

Targeting Security Researchers

The immediate threat of this attack is to security researchers. The campaign has specifically targeted security researchers involved in threat detection and vulnerability research.

As we often see with highly targeted attacks of this nature, the threat to the general public remains low. However, keeping your browser and antivirus programs up to date is always a good idea, as is not clicking and following random links on social media.