North Korean hackers exploited 0-day bug in Chrome

North Korean government hackers exploited a 0-day bug to remotely execute code in the Google Chrome browser. The patch for this bug was released only a month after the attacks began. The activity of hackers was directed at the media, IT companies, cryptocurrency and fintech organizations.

The Google Threat Analysis Group (TAG) reports that the vulnerability was exploited by two different North Korean government-backed hack groups in two separate campaigns.

The TAG report states that the hackers harassed their victims through emails, fake sites, or compromised sites, all of which eventually led to the activation of an exploit kit containing the exploit for CVE-2022-0609. Interestingly, the first signs of this activity were discovered on January 4, 2022, while the vulnerability was found only on February 10 and fixed a few days later.

One of the two aforementioned hack groups attacked over “250 people working for 10 different media outlets, domain registrars, hosting providers and software vendors.” Google TAG notes that these attacks are likely related to the Dream Job cyber-espionage operation, which researchers at ClearSky described in detail back in 2020.

Let me remind you that as part of the Dream Job, hackers lured victims with fake job offers in well-known US defense and aerospace companies, including Boeing, McDonnell Douglas and BAE. Now Google TAG writes that in the course of new attacks, targets received phishing emails with fake job offers at Disney, Google and Oracle.

For this campaign, the attacker registered several domains, including disneycareers[.]net and find-dreamjob[.]com, but also compromised at least one real job site.

The second hacking campaign discovered by Google TAG used the same exploit kit for CVE-2022-0609 but targeted 85 users from crypto and fintech organizations. It is assumed that behind these attacks is the same hack group that is responsible for the AppleJeus operation, described in detail back in 2018 by Kaspersky Lab.

As in the previous case, the hackers also registered a number of new domains for these attacks and compromised a couple of real sites.

Little is known about the technical side of these campaigns. For example, it is reported that the iframe with a link to the exploit kit worked only at a certain time, and some targets received unique identifiers (so that the exploit worked only once), each stage of the kit’s work was encrypted (including client responses), and the transition to the next phases of the attack depended on the success of the previous one.

The initial activity of the exploit kit was to collect data about the target system, including user agent information and screen resolution. If the received data met some criteria (currently unknown), the client received a command to remote code execution in Chrome and the Javascript code that was used to escape from the sandbox.

Unfortunately, Google TAG experts were unable to recover any of the subsequent stages of the attack after RCE.

Let me remind you that we talked about the fact that North Korean hackers attack cybersecurity experts on social networks, and also that North Korean hackers stole $400 million in cryptocurrency in 2021.