North Korean hackers exploit Chrome zero-day weeks before patch


North Korean state hackers exploited zero-day remote code execution vulnerability in Google Chrome web browser for more than a month before a fix was available, in attacks targeting media information, IT companies, cryptocurrency and fintech organizations.

Google’s Threat Analysis Group (TAG) has attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in animation” at this time) to two separate groups of supported attackers by the North Korean government.

Actively deployed exploit since early January

In a report shared in advance with BleepingComputer, Google TAG details tactics, techniques, and procedures (TTPs) related to these activities, which targeted more than 330 individuals.

Victims were targeted via emails, fake websites or compromised legitimate websites which would end up activating the exploit kit for CVE-2022-0609.

Example of phishing email used in campaigns
Example of phishing email used in campaigns (Google TAG)

Google TAG discovered the campaigns on February 10 and patched the vulnerability in an emergency Google Chrome update four days later.

However, researchers say the first sign of active exploitation of the zero-day vulnerability was found on January 4, 2022.

The link to the North Korean hackers, also called the Lazarus Group, is given by one of the campaigns, which has a direct infrastructure overlap with another activity attributed to the same threat actor last year: targeting security researchers using fake social networks Twitter and LinkedIn. media accounts.

Breach legitimate sites to serve the exploit

One of the two North Korean threat subgroups focused on more than “250 people working for 10 different news media, domain registrars, web hosting providers and software companies.”

Google TAG notes that this activity is consistent with Operation Dream Joba North Korean cyber espionage campaign detailed by ClearSky researchers in August 2020.

Operation Dream Job lured victims with fake job offers from major defense and aerospace companies in the United States, including Boeing, McDonnell Douglas and BAE.

Google TAG notes that in the campaign, it discovered targets had received phishing emails with fake job opportunities from Disney, Google and Oracle recruiters.

“The emails contained links spoofing legitimate job search websites like Indeed and ZipRecruiter,” said the researchers explainadding that clicking on it would give victims a hidden iframe triggering the exploit kit.

For this campaign, the attacker has registered some domains, such as disneycareers[.]net and find dreamjob[.]com, but also compromised at least one legitimate website.

Fake job site used to trigger exploit kit
Fake job site used to trigger exploit kit (Google TAG)

The second campaign discovered by Google TAG to use the same exploit kit for CVE-2022-0609 targeted over 85 users in the cryptocurrency and fintech industries and is attributed to the same group behind the AppleJeus operation [1, 2, 3]detailed by Kaspersky in 2018.

“This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites – already set up to distribute Trojan cryptocurrency apps – host iframes and redirect their visitors to the exploit kit” – Google TAG

Just like in the previous campaign, this group also registered new domains and compromised a few legitimate domains.

Fake site that provided malicious crypto apps
Fake site that delivered malicious crypto apps (Google TAG)

Protect the operating chain

While analyzing the exploit, the researchers discovered that the attacker had integrated several protective features that made it more difficult to recover from the multiple exploit steps needed to compromise targets.

For example, the iframe with the link to the exploit kit was served at specific times, some targets were given unique IDs (to serve the exploit only once), each stage of the kit was encrypted (customer responses as well) and moving to the secondary stages would depend on the success of the previous one.

The researchers say that the initial activity of the kit was to identify the target system by collecting details such as user agent and screen resolution.

If this data matched a set of specific requirements (unknown at this time), the client would receive a Chrome Remote Code Execution (RCE) and Javascript code that requested a sandbox escape, to break out of bounds from the web browser, on the system.

However, Google TAG was unable to recover any of the steps that followed the initial remote code execution step.

The researchers found evidence that the North Korean hackers weren’t just interested in Google Chrome users, and they also checked Safari users on macOS and Firefox, directing them “to specific links on exploit servers. known”.

At parse time, however, the observed URLs did not return any responses.

A full list of indicators of compromise, including exploit URLs and hacker-registered domains, is available at Google TAG Report.


Comments are closed.