Researchers have detailed campaigns by two North Korean government-backed attack groups that leveraged the same exploit kit to target U.S. organizations across the news media, IT, cryptocurrency and fintech sectors.
The groups were exploiting a high-severity remote code execution flaw in the animation component of the Google Chrome browser (CVE-2022-0609), which was fixed by Google in Chrome version 98.0.4758.102, released Feb. 14. Researchers discovered the campaigns on Feb. 10, but they said the exploit kit was deployed as early as Jan. 4.
“The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available,” said Adam Weidemann with Google’s Threat Analysis Group (TAG) in a Thursday analysis.
Both campaigns used an exploit kit that was triggered via hidden iframes that were embedded on websites. One of the campaigns targeted over 250 employees of 10 different news media, domain registrars, web hosting providers and software vendors. These targeted employees received emails that claimed to be from recruiters at companies like Disney, Google and Oracle, and that contained links spoofing legitimate job hunting websites, like Indeed or ZipRecruiter (using fake domains like indeedus[.]org and ziprecruiters[.]org).
Another campaign targeted 85 users in the cryptocurrency and fintech sectors. In this attack, the actors compromised at least two legitimate fintech websites (options-it[.]com and tradingtechnologies[.]com) and hosted hidden iframes to deliver exploit kits to visitors - though both websites quickly worked to remediate the issue, with Google confirming that the sites are no longer compromised. Other fake websites, which had previously been set up by actors to distribute trojanized cryptocurrency applications, hosted iframes and pointed visitors to the exploit kit.
The exploit kit included links that delivered heavily obfuscated javascript used to fingerprint the target system and collect all available information like the user-agent. The attackers included various safeguards to bypass detection, including only serving the iframe at specific times (when they knew a target was visiting the site) or AES encrypting each stage with a session-specific key.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques."
“If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript,” said Weidemann. “If the RCE was successful, the javascript would request the next stage referenced within the script as ‘SBX’, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.”
Researchers linked the attacks back to previously discovered activity clusters, including one uncovered last year targeting security researchers working on vulnerability research. The groups have also been linked to activities that have previously been tracked publicly as the Dream Job campaign, related to a series of 2020 attacks that infected several dozens of companies and organizations in Israel and globally; and the Apple Jeus operation, associated with a 2018 campaign that impacted a number of financial organizations and global cryptocurrency exchanges, said Weidemann.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” said Weidemann. “It is possible that other North Korean government-backed attackers have access to the same exploit kit.”
Both of these previous activity clusters have been attributed to the Lazarus Group, which is an umbrella term referring to numerous North Korean operators. In a recent analysis, researchers with Mandiant pointed to a flexible intelligence apparatus in North Korea that has created multiple cyber units based on the needs of the country, with some shared resources in cyber operations that include overlaps in infrastructure, malware, and tactics, techniques and procedures.
“Mandiant believes that North Korea's cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals,” according to Mandiant. “We assess most of North Korea's cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau.”