Google’s TAG team said the attackers had contacted their intended victims, and asked to collaborate on vulnerability research. Aside from Twitter, they also used LinkedIn, Telegram, Discord, Keybase, and email to reach their goals, sending a Microsoft Visual Studio project with malware to enter their systems. In some cases, victims’ computers were hacked after visiting a bad actor’s blog after following a link on Twitter. Both methods installed a backdoor on the victims’ computers that connected them to a command and control server controlled by the attacker.
These representatives used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email. We provide a list of well-known accounts and IOCs in the blog post.
– Shane Huntley (@ShaneHuntley) January 26, 2021
Victims’ systems have been hacked while running fully updated Windows 10 and Chrome browsers. Google’s TAG team has seen attackers targeting Windows only, so far, but it is still unable to confirm a “leveling off mechanism” and encourages researchers to submit Chrome vulnerabilities to its bug bounty program. The team also listed all of the websites the actor controlled and the accounts he had identified as part of the campaign.
This is my first contact .. Twitter deleted the account but they said “hello” and “hello” to prompt for the first two messages and then asked if I can use the Windows kernel pic.twitter.com/VJmo4yzPoC
– Richard Johnson (richinseattle) January 26, 2021