Hackers set up a SecuriElite shell company

In January 2021, Google Threat Analysis Group (TAG) experts spoke about the attack on IT security researchers around the world. Some details of this unusual operation have now been published.

The attackers used the new 0-day, which is triggered in the latest versions of Windows 10 and Chrome. In addition, researchers were offered to participate in a joint Visual Studio project and, upon their request, were provided with a DLL allegedly with an exploit code (a DLL hash on VirusTotal). This vector of social engineering is encountered for the first time in the world.

The investigation showed that the hacker group contacted security researchers through fake social media accounts Twitter and LinkedIn.

Fake LinkedIn and Twitter user profiles

Moreover, they created a fake company called SecuriElite, which is based in Turkey and allegedly invites security experts. The company reportedly offers offensive security services, including “pentests, software security assessments, and exploits.”

In total, Google identified eight Twitter accounts and seven LinkedIn profiles that were involved in the operation. A blog with interesting information on the topic of information security to attract the target audience was launched in 2020.

Blog with interesting information

For the operation, profiles were registered on a number of platforms, including Telegram, Keybase and Discord, in order to communicate with researchers and gain their trust.

On January 14, 2021, the attackers posted on Twitter and YouTube a video demonstrating an exploit for the recently closed Windows Defender vulnerability (CVE-2021-1647).