News

North Korean hackers exploited 0-day bug in Chrome

North Korean government hackers exploited a 0-day bug to remotely execute code in the Google Chrome browser. The patch for this bug was released only a month after the attacks began. The activity of hackers was directed at the media, IT companies, cryptocurrency and fintech organizations.

The vulnerability in question is CVE-2022-0609. It was previously reported that the bug is a use-after-free vulnerability in the Animation component. Typically, attackers use these bugs to execute arbitrary code on computers with vulnerable versions of Chrome, as well as to escape from the sandbox.

The Google Threat Analysis Group (TAG) reports that the vulnerability was exploited by two different North Korean government-backed hack groups in two separate campaigns.

The TAG report states that the hackers harassed their victims through emails, fake sites, or compromised sites, all of which eventually led to the activation of an exploit kit containing the exploit for CVE-2022-0609. Interestingly, the first signs of this activity were discovered on January 4, 2022, while the vulnerability was found only on February 10 and fixed a few days later.

One of the two aforementioned hack groups attacked over “250 people working for 10 different media outlets, domain registrars, hosting providers and software vendors.” Google TAG notes that these attacks are likely related to the Dream Job cyber-espionage operation, which researchers at ClearSky described in detail back in 2020.

Let me remind you that as part of the Dream Job, hackers lured victims with fake job offers in well-known US defense and aerospace companies, including Boeing, McDonnell Douglas and BAE. Now Google TAG writes that in the course of new attacks, targets received phishing emails with fake job offers at Disney, Google and Oracle.

The emails contained links to fake job search sites that imitated resources such as Indeed and ZipRecruite.the researchers explain, adding that clicking on such links triggered a hidden iframe that activated the exploit kit.

For this campaign, the attacker registered several domains, including disneycareers[.]net and find-dreamjob[.]com, but also compromised at least one real job site.

The second hacking campaign discovered by Google TAG used the same exploit kit for CVE-2022-0609 but targeted 85 users from crypto and fintech organizations. It is assumed that behind these attacks is the same hack group that is responsible for the AppleJeus operation, described in detail back in 2018 by Kaspersky Lab.

The attacks included compromising at least two websites of real fintech companies and placing hidden iframes there to deploy a set of exploits against visitors. In other cases, we also observed that fake sites (previously set up to distribute Trojan cryptocurrency applications) host iframes that direct visitors to an exploit kit.the TAG report reads.

As in the previous case, the hackers also registered a number of new domains for these attacks and compromised a couple of real sites.

Little is known about the technical side of these campaigns. For example, it is reported that the iframe with a link to the exploit kit worked only at a certain time, and some targets received unique identifiers (so that the exploit worked only once), each stage of the kit’s work was encrypted (including client responses), and the transition to the next phases of the attack depended on the success of the previous one.

The initial activity of the exploit kit was to collect data about the target system, including user agent information and screen resolution. If the received data met some criteria (currently unknown), the client received a command to remote code execution in Chrome and the Javascript code that was used to escape from the sandbox.

Unfortunately, Google TAG experts were unable to recover any of the subsequent stages of the attack after RCE.

The North Korean hackers were also reportedly targeting not only Google Chrome users, but also Safari users on macOS and Firefox, who were directed “to specific links to known exploitation servers.” Alas, during parsing, these URLs no longer returned any response.

Let me remind you that we talked about the fact that North Korean hackers attack cybersecurity experts on social networks, and also that North Korean hackers stole $400 million in cryptocurrency in 2021.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

1 day ago