Recently, Microsoft has detected an ongoing ZINC campaign targeting security researchers working on vulnerability research and development. The same campaign was reported by Google’s Threat Analysis Group (TAG) just a few days before Microsoft Defender for Endpoint detected the campaign in progress. The main targets of this campaign included pen testers, private offensive security researchers, and employees at security and tech companies.
ZINC is a North-Korea based group of hackers that gained popularity in mid 2020 in the security research community on Twitter by re-tweeting high quality security content and posting about exploit research from an actor-controlled blog. Then the threat actors started approaching targeted security researchers on social media platforms such as Twitter and LinkedIn and gathered information about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs. The potential targets then received a Visual Studio project with malicious DLL that can lead to the installation of a backdoor threat which eventually would allow the attackers to obtain information, executing commands on a computer, and hands-on-keyboard action.
The current scenario clearly indicates that security agencies, researchers and professionals have become a prime target for cybercriminals. So it is highly recommended that security professionals use an isolated environment (e.g., a virtual machine) for building un-trusted projects in Visual Studio or opening any links or files sent by unknown parties. Moreover, one must run a full antimalware scan immediately after visiting a referenced ZINC-owned blog.
