North Korean threat actors target news outlets and fintechs with a Google Chrome vulnerability

A vulnerability affecting Google Chrome allows attackers to execute remote code on targeted users. Two North Korean threat actors are using it to attack news outlets, software vendors and fintechs in the U.S.

Threat actors from North Korea have been exploiting a vulnerability in Google Chrome to target certain users with remote code, particularly news outlets, software vendors and fintechs in the United States.

CVE-2022-0609 is a remote code execution vulnerability affecting Google Chrome. According to Google, a patch was released on Feb. 14, 2022, while the first evidence of an exploitation of the vulnerability dates to Jan. 4, 2022.

SEE: Google Chrome: Security and UI tips you need to know  (TechRepublic Premium)

On Feb. 10, Google’s TAG (Threat Analysis Group) team discovered two distinct threat actors using that vulnerability to target U.S.-based organizations spanning news media, IT, cryptocurrency and fintech industries. It is possible that more organizations and countries have been targeted in those attack campaigns.

Operation Dream job

The threat actors behind the previously reported “Operation Dream job” are one of the two actors leveraging the CVE-2022-0609 vulnerability.

Individuals from 10 different news media have been targeted by the threat actor, in addition to software vendors, domain name registrars and web hosting providers. All in all, more than 250 people have been targeted by this campaign.

The attacking scheme started with emails reaching these people, pretending to be job opportunities coming from Disney, Oracle and Google (Figure A).

Figure A

The links in the fraudulent emails led the user to fake job offer websites which served a hidden iframe triggering the exploit kit.

Operation AppleJeus

The second threat actor exploiting the CVE-2022-0609 vulnerability has already been known for a previous attack campaign called Operation AppleJeus.

More than 85 people from fintech industries and cryptocurrency have been targeted in the current attack campaign.

Two legitimate fintech companies have been compromised in order for the attackers to add a malicious iframe on the legitimate websites, serving the exploit kit to infect visitors. In other cases, Google observed fake websites also serving the exploit kit, and already set up to distribute trojanized cryptocurrency applications.

The exploit kit

Users have been served the exploit kit either by visiting a legitimate website compromised by the attackers or by being led to fake websites created by the threat actors. In all cases, an iframe started the infection chain.

The exploit kit contained multiple stages and components. For starters, heavily obfuscated JavaScript code was used to fingerprint the visiting system. The code collected probing information like browser user-agent, screen resolution and more, which were sent back to the exploitation server. Based on the data, the visitor would be served the Chrome remote code execution (RCE) exploit and additional JavaScript code. The exact conditions for a visitor to be served the exploit are unknown, since all the code analyzing the data is hosted on the attacker’s server.

If the Chrome exploit was successful, the additional JavaScript code would launch the next stage, referenced within the script as “SBX,” a common acronym for “Sandbox escape.” Unfortunately, stages following the initial exploitation of the Chrome exploit could not be recovered by Google’s TAG team.

In an attempt to protect their exploits, the attackers deployed multiple techniques to make it harder for security teams to recover any of the stages. The iframe is only served at specific times and unique IDs were used in infecting links to avoid the exploit kit to be served more than once from the same link. Each stage has also been heavily encrypted with the AES algorithm, including the clients’ responses. No additional stage would be served if all the previous ones would not be completed.

In addition to the exploit kit, Google’s TAG team also found evidence of specific links built for Safari on MacOS or Firefox leading to known exploitation servers, yet none responded at the time of Google’s investigation. It is therefore impossible to know what exploit would be triggered, if any, for those different browsers.

Who are these attackers?

According to Google, the two threat actors originate from North Korea. Both groups used the exact same exploit kit. The kit being private, it is possible that both groups work for the same entity and share tools. Yet the two probably operate with different mission sets and different deployment techniques. It is also possible that more North Korean government-backed attackers might have access to the same exploit kit.

How to protect from this threat

Since the threat consists of an exploit allowing attackers to execute remote code via a vulnerability in Google Chrome, it is advised to deploy the patch as soon as possible, which can be easily done via Group Policy Object (GPO).

In addition, it is advised to use blocking and anti-phishing software or browser plugins like Enhanced Safe Browsing for Chrome, in order to block the fraudulent websites created by the attackers.

In some cases, the attackers served the exploit kit via legitimate website. The only solutions not to be infected in these cases would be to always stay up to date with software, and if possible, deactivate JavaScript.

To protect from phishing attempts, users should never click on a link coming from an unknown sender. If coming from a seemingly legitimate company, users should first check carefully if the link delivered in the email leads to the legitimate website.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.