Google’s TAG team said the attackers contacted their intended victims, asking to collaborate on vulnerability research. Aside from Twitter, they also used LinkedIn, Telegram, Discord, Keybase and email to reach out to their targets, sending them a Microsoft Visual Studio Project with malware to gain entry to their systems. In some cases, victims’ computers were compromised after visiting a bad actor’s blog after following a link on Twitter. Both methods led to the installation of a backdoor on the victims’ computers that connected them to an attacker-controlled command and control server.
These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. We are providing a list of known accounts and IOCs in the blog post.
— Shane Huntley (@ShaneHuntley) January 26, 2021
The victims’ systems were compromised while running fully patched and up-to-date Windows 10 and Chrome browsers. Google’s TAG Team has only seen the attackers targeting Windows systems, thus far, but it still can’t confirm “the mechanism of compromise” and is encouraging researchers to submit Chrome vulnerabilities to its bug bounty program. The team has also listed all the actor-controlled websites and accounts it has identified as part of the campaign.
Here’s their first contact.. Twitter has deleted the acct but they just said “hi” and “hello” to prompt the first two messages and then asked if I can do Windows kernel exploitation pic.twitter.com/VJmo4yzPoC
— Richard Johnson (@richinseattle) January 26, 2021