Google’s Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.
The campaigns, once again “reflective of the regime’s immediate concerns and priorities,” are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year.
The shortcoming in question is CVE-2022-0609, a use-after-free vulnerability in the browser’s Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It’s also the first zero-day flaw patched by the tech giant since the start of 2022.
“The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022,” Google TAG researcher Adam Weidemann said in a report. “We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques.”
The first campaign, consistent with TTPs associated with what Israeli cybersecurity firm ClearSky described as “Operation Dream Job” in August 2020, was directed against over 250 individuals working for 10 different news media, domain registrars, web hosting providers, and software vendors, luring them with fake job offers from companies like Disney, Google, and Oracle.
The usage of phony job listings is a time-tested tactic of North Korean nation-state groups, which, earlier this January, was found impersonating the American global security and aerospace company Lockheed Martin to distribute malware payloads to target individuals seeking jobs in the aerospace and defense industry.
“The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country,” ClearSky researchers noted at the time.
The second activity cluster that’s believed to have leveraged the same Chrome zero-day relates to Operation AppleJeus, which compromised at least two legitimate fintech company websites to serve the exploit to no less than 85 users.
The exploit kit, according to Google TAG, is fashioned as a multi-stage infection chain that involves embedding the attack code within hidden internet frames on both compromised websites as well as rogue websites under their control.
“In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit,” Weidemann said.
The initial stage encompassed a reconnaissance phase to fingerprint the targeted machines that was then followed by serving the remote code execution (RCE) exploit, which, when successful, led to the retrieval of a second-stage package engineered to escape the sandbox and carry out further post-exploitation activities.
Google TAG, which discovered the intrusions on February 10, noted that it was “unable to recover any of the stages that followed the initial RCE,” emphasizing that the threat actors made use of several safeguards, including the use of AES encryption, designed explicitly to obscure their tracks and hinder the recovery of intermediate stages.
Additionally, the campaigns checked for visitors using non-Chromium based browsers such as Safari on macOS or Mozilla Firefox (on any operating system), redirecting the victims to specific links on known exploitation servers. It’s not immediately clear if any of those attempts were fruitful.
The findings come as threat intelligence company Mandiant mapped different Lazarus sub-groups to various government organizations in North Korea, including the Reconnaissance General Bureau (RGB), the United Front Department (UFD), and the Ministry of State Security (MSS).
Lazarus is the umbrella moniker collectively referring to malicious cyber and financial crime operations originating from the heavily-sanctioned hermit kingdom, in the same manner Winnti and MuddyWater function as a conglomerate of multiple teams to help further China and Iran’s geopolitical and national security objectives.
“North Korea’s intelligence apparatus possesses the flexibility and resilience to create cyber units based on the needs of the country,” Mandiant researchers said. “Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations.”