Google discovered hackers based in North Korea spent weeks exploiting a zero-day remote code execution flaw in Chrome earlier this year.
Google's Threat Analysis Group (TAG) posted a disclosure report explaining how the authoritarian regime was able to prey on the bug to exploit multiple targets for both financial and intelligence attacks for weeks before the bug was patched.
The Chrome zero-day vulnerability, listed as CVE-2022-0609, is a use-after-free bug in Google's browser that allows attackers to place malicious code inside vulnerable memory locations. This would potentially result in remote code execution. The bug was patched in Chrome 98.0.4758.102, and rebooting the browser will apply the update for most users.
Before the patch was issued, however, the attackers spent weeks pulling off a number of covert operations between January 4 and February 14.
Adam Weidemann, a researcher with TAG, said that the reclusive authoritarian regime used the flaw to carry out a pair of operations that would boost its government's resources.
"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," Weidemann wrote.
"It is possible that other North Korean government-backed attackers have access to the same exploit kit."
In the first case, the attackers aimed to target news media and IT companies. The target was not the news content itself, but rather the infrastructure.
Using company names such as Disney and Variety, the hackers used job-seeking emails to bring targets to lookalike domains that would use iframes to install the malware via exploits written into the iframes. From there, the victims would be fed data-seeking malware.
The second attack was focused on the financial sector. Specifically, the North Korean attackers were looking to get into the systems of at least 85 different users who were connected to various cryptocurrency platforms.
Again, the aim of the attackers was to redirect users to a compromised site where an exploit script was executed against the Chrome flaw to install remote access malware.
According to Google, however, Chrome was not the only target in those attacks, as other platforms were also exploited.
"Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers," Weidemann said.
Despite being a reclusive and low-tech regime, North Korea has fostered a prolific hacking operation that has specialized in financial heists and stealing cryptocurrency in operations that can circumvent financial sanctions.