North Korean hackers targeted Google Chrome users with fake job recruitment ads hoping to lure unsuspecting IT workers into clicking a link that would give the attackers access to victims’ browsers, according to Google’s security researchers.
Adam Weidemann from Google’s Threat Analysis Group shared details of the phishing campaign in a blog post last week, attributing attacks to two separate hacking groups understood to be associated with the North Korean state.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different mission set and deploy different techniques,” Weidemann said.
“It is possible that other North Korean government-backed attackers have access to the same exploit kit.”
Both sets of bad actors leveraged CVE-2022-0609, zero-day use-after-free vulnerability that attackers can use to execute remote code in Google’s Chrome browser.
Google pushed out a patch for the vulnerability, which affects Chrome’s Animation component, on 14 February but attempts to get victims clicking dodgy leaks continued after the update was available, Weidemann said.
Google patched a second zero-day Chrome vulnerability with an update late last week, highlighting the importance of keeping your system up-to-date with the latest security patches – especially on commonly-used internet facing software.
The earliest known use of the North Korean attacks date back to 4 January, meaning a serious security flaw was present in Chrome for more than a month before it got fixed.
One group targeted people working at specific news outlets, domain registrars, and web hosting and software companies with emails claiming to be from recruiters for the likes of Disney, Google, and Oracle.
The emails had links to spoofed job websites like Indeed and ZipRecruiter which served an exploit kit embedded in the page’s HTML.
For defenders out there who are trying to understand if they were impacted - I'd look specifically for any hits to the known exploitation domains/urls. Activity goes back to at least Jan 4, 2022 and even continued after our Feb 14 patch.
— Adam (@digivector) March 24, 2022
The other group of bad actors used the same exploit kit but instead went after cryptocurrency and fintech users, hosting exploits on attacker-owned cryptocurrency news sites or compromised legitimate websites.
Weidemann said the North Korean hackers were careful covering their tracks and had “multiple safeguards” built into the attacks to stop cyber security researchers uncovering specific details about the campaigns.
For starters, the malware was delivered in distinct stages that would only trigger if the previous one was successful, the bad actors opting for a careful infection of specific host system over brunt broadscale attacks.
Hackers also waited to serve the hidden iframes on dodgy websites that triggered the exploit kits to download at specific times – like when they expect a victim to visit – making it harder for researchers to replicate the exact conditions of infection.
Another methods to avoid detection included putting unique links in the email phishing campaigns.
“This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once,” Weidemann said.
He had previously written about a similar campaign last year specifically targeting security professionals.
In that instance the bad actors created fake cyber security-related profiles on social media in order to somewhat ironically lure victims to clicking on a bad link that lead to websites purporting to be about cyber security but which were really vectors of infection.
