Hackers, backed by the government of North Korea, took advantage of a critical Chrome zeroday to attempt to infect the computers of hundreds of people working in a wide variety of industries, including news media, IT, cryptocurrency and financial services. said Google Thursday.
The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or set up for the express purpose of delivering attack code to unsuspecting visitors. One group was named Operation Dream Job and targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.
Dream Jobs and Cryptocurrency Wealth
“We suspect that these groups are working for the same entity with a shared supply chain, hence using the same exploit kit, but each with a different mission set and deploying different techniques,” Adam Weidemann, a researcher with Google’s threat analysis group, wrote in a statement. message. “It is possible that other attackers backed by the North Korean government may have access to the same exploit kit.”
Operation Dream Job has been active since at least June 2020, when researchers at security firm ClearSky saw the group targeting defense and government companies. Rogues targeted specific employees in the organizations with fake “dream job” offers at companies like Boeing, McDonnell Douglas and BAE. The hackers devised an elaborate social engineering campaign that used fictitious LinkedIn profiles, emails, WhatsApp messages and phone calls. The aim of the campaign was to both steal money and gather information.
AppleJeus, meanwhile, dates back to at least 2018. Then researchers at security firm Kaspersky spotted North Korean hackers targeting a cryptocurrency exchange using malware masquerading as a cryptocurrency trading application. The AppleJeus operation stood out for its use of a malicious app written for macOS. According to the company’s researchers, this was likely the first time an APT — short for government-backed “advanced persistent threat group” — used malware to target that platform. Also notable was the group’s use of malware that ran only in memory without writing a file to hard drive, an advanced feature that makes detection much more difficult.
One of the two groups (Weidemann didn’t say which one) also used some of the same audit servers last year to infect security researchers. The campaign used fictional Twitter personas to build relationships with the researchers. Once a level of trust was established, the hackers used either an Internet Explorer zeroday or a malicious Visual Studio project that supposedly contained source code for a proof-of-concept exploit.
In February, Google researchers learned of a critical vulnerability in Chrome that was being actively exploited in the wild. The company’s engineers fixed the vulnerability and designated it CVE-2022-0609. On Thursday, the company released more details about the vulnerability and how the two North Korean hackers had exploited it.
Operation Dream Job sent emails to targets that allegedly came from recruiters who worked for Disney, Google and Oracle. Links embedded in the email are spoofed legitimate job boards such as Indeed and ZipRecruiter. The sites contain an iframe that triggered the exploit.
Here is an example of one of the pages used:
Members of Operation AppleJeus have compromised the websites of at least two legitimate financial services companies and a variety of ad hoc sites pushing malicious cryptocurrency apps. Like the Dream Job sites, the sites used by AppleJeus also contained iframes that triggered the exploit.
A fake app pushed into Operation AppleJeus
Is there a sandbox escape in this kit?
The exploit kit is written to carefully conceal the attack by, among other things, disguising the exploit code and only triggering remote code execution in certain cases. The kit also appears to have used a separate exploit to break out of the Chrome security sandbox. The Google researchers were unable to figure out that escape code, leaving open the possibility that the vulnerability it exploited has yet to be patched.