Google’s Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.
The campaigns, once again “reflective of the regime’s immediate concerns and priorities,” are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year.
The vulnerability in question is CVE-2022-0609, a use-after-free vulnerability in the browser’s Animation component that Google addressed as part of updates (version 98.0.4758. 102) issued on February 14, 2022. It’s also the first zero-day flaw patched by the tech giant since the start of 2022.
“The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022,” Google TAG researcher Adam Weidemann said in a report. We suspect these groups may work together with the same supply chain. Therefore, the exploit kit is used by both of them. However, each group operates with different missions and employs different techniques. “
The first campaign, consistent with TTPs associated with what Israeli cybersecurity firm ClearSky described as “Operation Dream Job” in August 2020, was directed against over 250 individuals working for 10 different news media, domain registrars, web hosting providers, and software vendors, luring them with fake job offers from companies like Disney, Google, and Oracle.
The usage of phony job listings is a time-tested tactic of the Lazarus group, which, earlier this January, was found impersonating the American global security and aerospace company Lockheed Martin to distribute malware payloads to target individuals seeking jobs in the aerospace and defense industry.
“The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country,” ClearSky researchers noted at the time.
The second activity cluster that’s believed to have leveraged the same Chrome zero-day relates to Operation AppleJeus, which compromised at least two legitimate fintech company websites to serve the exploit to no less than 85 users.
According to Google TAG, the exploit Kit , is designed as a multi-stage infection process that embeds attack code in hidden internet frames both on compromised and rogue websites.
“In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit,” Weidemann said.
The initial stage encompassed a reconnaissance phase to fingerprint the targeted machines that was then followed by serving the remote code execution (RCE) exploit, which, when successful, led to the retrieval of a second-stage package engineered to escape the sandbox and carry out further post-exploitation activities.
Google TAG, which discovered the campaigns on February 10, noted that it was “unable to recover any of the stages that followed the initial RCE,” emphasizing that the threat actors made use of several safeguards, including the use of AES encryption, designed explicitly to obscure their tracks and hinder the recovery of intermediate stages.
Additionally, the campaigns checked for visitors using non-Chromium based browsers such as Safari on macOS or Mozilla Firefox (on any operating system), redirecting the victims to specific links on known exploitation servers. It’s not immediately clear if any of those attempts were fruitful.
The findings come as threat intelligence company Mandiant mapped different Lazarus sub-groups to various government organizations in North Korea, including the Reconnaissance General Bureau, the United Front Department (UFD), and the Ministry of State Security (MSS).
Lazarus is the umbrella moniker collectively referring to espionage operations originating from the heavily-sanctioned hermit kingdom, in the same manner Winnti and MuddyWater function as a conglomerate of multiple teams to help further China and Iran’s geopolitical and national security objectives.
“The intelligence apparatus of North Korea has the ability and resilience to build cyber units according to the country’s needs,” Mandiant researchers stated. “Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations. “