Mar 25, 2022 11:21:00

North Korean hacker group found to be exploiting Chrome's zero-day vulnerability 'CVE-2022-0609'

A hacker with the support of the North Korean government exploits Chrome's zero-day vulnerability '

CVE-2022-0609 ' in a wide range of industries including US-based news media, IT, virtual currencies, and financial services. Google announced Thursday that it tried to infect hundreds of working computers with malware.

Countering threats from North Korea
https://blog.google/threat-analysis-group/countering-threats-north-korea/

North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets | Ars Technica
https://arstechnica.com/information-technology/2022/03/north-korean-hackers-unleashed-chrome-0-day-exploit-on-hundreds-of-us-targets/

The zero-day vulnerability CVE-2022-0609 in question could allow remote code execution by exploiting free memory after running an animation on Chrome. This zero-day vulnerability was exploited by two independent North Korean hacking groups, known as ' Operation Dream Job ' and ' Operation Apple Jeus ,' respectively.

Operation Dream Job, a campaign that has been confirmed since June 2020, targeted more than 250 individuals working in 10 different news media, domain registrars, web hosting providers, and software vendors. The victim was sent a false email from a person who claims to be a recruiter for Disney, Google, and Oracle, saying, 'In fact, we are secretly recruiting human resources.' The email contained a link disguised as a well-known recruiting site such as Indeed or Zip Recruiter, and when the target clicked on this link, an exploit kit that exploited CVE-2022-0609 was deployed in the iframe.

Operation Apple Jeus is said to have been confirmed since 2018, and it is a campaign targeting more than 85 people working in the virtual currency and

fintech industry. The hacking group sent a link to a site that deploys an exploit kit in an iframe to the target under the guise of a fintech company's website.

Exploit kits collect as much of the victim's client information as possible and send it to the hacking server. In addition to collecting information, he also hacked into net banks and virtual currency exchanges. The malware used does not leave a trace of itself in the storage, and although it works only in memory, it has advanced functions, so it is very difficult to detect.

Google also said that Operation Apple Jeus was the first North Korean government-backed hacking group to use 'malware written for macOS.'

According to Google's Threat Analysis Group, the existence of CVE-2022-0609 was revealed in February 2022. However, since the attack started at least around 2018, it seems that North Korean hacking groups have been aware of this zero-day vulnerability for a long time. In the past, North Korean hacker groups have used another zero-day vulnerability in Chrome to attack.

Microsoft publishes report on attacks by North Korean hackers using Chrome's zero-day vulnerability-GIGAZINE

In addition, it seems that CVE-2022-0609 has already been corrected if it is version 99 or later, which is the latest version of Chrome at the time of article creation.