North Korean hackers target employees of news organizations, software companies and more via Chrome vulnerability

Google has published a report identifying two North Korean government hacking campaigns that exploited a 0-day Google Chrome.

Adam Weidemann of Google Threat Analysis Group explained that on February 10, the company discovered two different North Korean campaigns, which it attributed to Operation Dream Job and Operation AppleGames – to exploit CVE-2022-0609. Researchers have known about Operation Dream Job since at least August 2020 and Operation AppleJeus since at least 2018.

The vulnerability was highlighted and patched by Google in February, but noted that they were aware of reports that an exploit existed in the wild.

Weidemann said the earliest evidence they have of an actively deployed exploit kit for the remote code execution vulnerability dates back to January 4. The report focuses on campaigns targeting US organizations, but they note that other organizations and countries may have been targeted.

“The campaign, consistent with Operation Dream Job, targeted over 250 people working for 10 different media outlets, domain registrars, web hosting providers and software vendors. The targets received emails claiming to be from Disney, Google and Oracle recruiters with potential fake job opportunities. The emails contained links spoofing legitimate job search websites like Indeed and ZipRecruiter,” Weidemann said.

“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different set of missions and deploys different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

For the Operation Dream Job campaign, anyone who clicked on the links sent in the email would receive a hidden iframe that would trigger the exploit kit, according to Weidemann.

Fake domains included disneycareers[.]net, find a dream job[.]com, indeed we[.]org, varied work[.]com, ziprecruiters[.]org. Exploit URLs were https[:]//colasprint[.]com/about/about.asp and https[:]// varied work[.]com/sitemap/sitemap.asp.

A fake job search site. Image: Google Threat Analysis Group

The other campaign – Operation AppleJeus – involved the same exploit kit used to target over 85 users in the cryptocurrency and fintech industries.

“This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites – already set up to distribute Trojan cryptocurrency apps – host iframes and direct their visitors to the exploit kit,” Weidemann explained.

“The attackers used an exploit kit containing several stages and components in order to exploit the targeted users. The attackers placed links to the exploit kit in hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

Weidemann noted that the kit first serves “a heavily obfuscated javascript used to identify the target system” before collecting data like the user agent and sending it to the operating server.

Depending on whether an unknown set of requirements were met, the victim served up a Chrome remote code execution exploit and additional javascript, Weidemann explained.

“If the RCE was successful, the javascript would request the next step referenced in the script as ‘SBX’, a common acronym for Sandbox Escape. Unfortunately, we were unable to retrieve any of the steps that followed the initial RCE,” did he declare.

He added that the group managed to cover their tracks by serving the iframe only at specific times, using unique identifiers to allow the exploit kit to be served only once, using Advanced Encryption Standard (AES) for each step and not serving additional steps if previous. those failed.

Google also found evidence that the attackers specifically searched for victims using Safari on macOS or Firefox and directed them to specific links on known exploit servers.

“Attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, underscoring the importance of applying security updates as soon as they are available,” said added Weidemann.

Chainalysis, a company that tracks illegal blockchain transactions, said in january that hackers working for the North Korean government allegedly stole nearly $400 million worth of cryptocurrency from seven hacked companies throughout 2021, compared to $300 million they stole from four companies in 2020.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked in South Africa, Jordan and Cambodia.

Comments are closed.