Google released a report identifying two North Korean government hacking campaigns that exploited a Google Chrome 0-day.
Adam Weidemann of Google Threat Analysis Group explained that on February 10, the company discovered two different North Korean campaigns, which it attributed to Operation Dream Job and Operation AppleGames – operator CVE-2022-0609. Researchers have known about Operation Dream Job since at least August 2020 and Operation AppleJeus since at least 2018.
The vulnerability was discovered and patched by Google in February, but they noted that they were aware of reports that an exploit existed in the wild.
Weidemann said the earliest evidence they have of an actively deployed exploit kit for the remote code execution vulnerability dates back to January 4. The report focuses on campaigns targeting US organizations, but they note that other organizations and countries may have been targeted.
“The campaign, consistent with Operation Dream Job, targeted over 250 people working for 10 different media outlets, domain registrars, web hosting providers and software vendors. The targets received emails claiming to be from Disney, Google and Oracle recruiters with potential fake job opportunities. The emails contained links spoofing legitimate job search websites like Indeed and ZipRecruiter,” Weidemann said.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different set of missions and deploys different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.
For the Operation Dream Job campaign, anyone who clicked on the links sent in the email would receive a hidden iframe that would trigger the exploit kit, according to Weidemann.
Fake domains included disneycareers[.]net, find a dream job[.]com, indeed we[.]org, varied work[.]com, ziprecruiters[.]org. Exploit URLs were https[:]//colasprint[.]com/about/about.asp and https[:]// varied work[.]com/sitemap/sitemap.asp.
The other campaign – Operation AppleJeus – involved the same exploit kit used to target over 85 users in the cryptocurrency and fintech industries.
“This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites – already set up to distribute trojanized cryptocurrency apps – hosting iframes and pointing their visitors to the exploit kit,” Weidemann explained.
“The attackers used an exploit kit containing several stages and components in order to exploit the targeted users. The attackers placed links to the exploit kit in hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.
He added that the group managed to cover their tracks by serving the iframe only at specific times, using unique identifiers to allow the exploit kit to be served only once, using Advanced Encryption Standard (AES) for each step and not serving additional steps if previous. those failed.
Google also found evidence that the attackers specifically searched for victims using Safari on macOS or Firefox and directed them to specific links on known exploit servers.
“Attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, underscoring the importance of applying security updates as soon as they are available,” said added Weidemann.
Chainalysis, a firm that tracks illegal blockchain transactions, said in January that hackers working for the North Korean government allegedly stole nearly $400 million worth of cryptocurrency from seven hacked companies throughout 2021, up from 300 million dollars they stole from four companies in 2020.