Google’s TAG team said the attackers had contacted their intended victims, asking to collaborate in the investigation of the vulnerability. Besides Twitter, they also used LinkedIn, Telegram, Discord, Keybase, and email to reach their targets, sending them a Microsoft Visual Studio project containing malware to gain access to their systems. In some cases, victims’ computers have been compromised after visiting a bad actor’s blog after following a link on Twitter. Both methods led to the installation of a backdoor on the victims’ computers that connected them to a command and control server controlled by the attacker.
These players have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email. We provide a list of known accounts and CIOs in the blog post.
– Shane Huntley (@ShaneHuntley) January 26, 2021
Victims’ systems were compromised while running fully patched and up to date Windows 10 and Chrome browsers. Google’s TAG team has only seen attackers target Windows systems, so far, but they still can’t confirm “the compromise mechanism” and encourages researchers to submit Chrome’s vulnerabilities to its bounty program. bugs. The team also listed all the websites controlled by the actors and accounts that they identified as part of the campaign.
Here is their first contact. Twitter deleted the account, but they just said “hi” and “hello” to invite the first two messages, then they asked if I could mine the windows kernel pic.twitter.com/VJmo4yzPoC
– Richard Johnson (@richinseattle) January 26, 2021