Google details North Korean attack groups targeting news media, IT and fintech cos

Google’s Threat Analysis Group (TAG) has shared the latest research findings on two separate North Korean government-backed attack groups targeting US news media, IT, crypto- currency and fintech.

In a blog post by Adam Weidemann, Threat Analysis Group, on February 10, they discovered that the two groups were exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. The vulnerability was patched on February 14.

The attackers’ activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. The campaign, in line with Operation Dream Job, targeted more than 250 people working for 10 different news outlets, domain registrars, web hosting providers and software companies.

The victims received emails claiming to be from Disney, Google and Oracle recruiters with potential fake job opportunities, which contained links spoofing legitimate job search websites like Indeed and ZipRecruiter. Clicking on the links would serve them a hidden iframe that would trigger the exploit kit.

The other group, in line with Operation AppleJeus, targeted over 85 users in the cryptocurrency and fintech industries by exploiting the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, fake websites have been created to distribute trojanized cryptocurrency apps – hosting iframes and directing their visitors to the exploit kit.

According to Google’s TAG, the attackers deployed several protections to prevent security teams from recovering any of the steps. More details can be found here.

While the vulnerability was patched on February 14, threat actors repeatedly attempted to use the exploit days after the exploit was patched. This highlights the importance of applying security updates as soon as they are released.

“We suspect these groups are working for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different set of missions and deploys different techniques. It’s possible that other North Korean government-backed attackers have access to the same exploit kit,” TAG wrote in the post.