then doesn’t that mean it only runs that code if the user clicks “OK” on the update dialog?
(Edit: I think I understand now. It’s not the code, it’s the update URL that’s the problem, because it’s controlled by NK. So if you run this and blindly click “OK”, then it will download an executable that will infect your PC.)
(Edit 2: Or the issue is not in the source at all, but is in the prebuilt binary.)
The 0-day is in a popular software package. The GitHub repo apparently contains a backdoor ability to execute code from the attacker. If I had to guess, this would be the software update functionality here: https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...
"In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of 'download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.'
The attackers used a 0-day but getsymbol is not one.
"But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain."
Sounds like most software nowadays to be honest. The blog author does not really point out why this code would be more malicious than "normal" or how the code author is known to be Korean.
0: https://github.com/dbgsymbol/getsymbol/blob/cb4bdedc1a85c308...