North Korea Chrome zero-day

Two North Korean hacking groups have been deterred from using a Chrome zero-day bug by Google. Patches were released by Google in February, but the exploit was already underway.

The Threat Analysis Group (TAG) of Google has claimed that the hacker groups were exploiting an RCE (remote code execution) vulnerability in Chrome that is tracked, CVE-2022-0609.

After the discovery of this incident, in February, all the government agencies were mandated by the US Cybersecurity and Infrastructure Security Agency (CISA) to patch this Chrome zero-day bug immediately.


In addition to this exploit, North Korean hacking groups also used the SWIFT attack on the international bank-messaging system SWIFT, which has been linked to the North Korean hacking group, “Lazarus,” that was alleged to have hacked Sony Pictures.

In keeping with Operation Dream Job, the campaigns observed by Google’s TAG were targeting the U.S.-based organizations like:- 

  • News media
  • IT
  • Cryptocurrency
  • Fintech industries
  • Domain registrars
  • Web hosting providers
  • Software vendors

A fake job opportunity was sent by email to the targets claiming to be recruiters from the following well-known MNCs:-

  • Disney
  • Google
  • Oracle

Here’s what the Adam Weidemann of TAG stated:-

“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different mission set and deploys different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.”

Exploit kit

To exploit the targeted users, the attackers used an exploit kit that consisted of multiple components and stages. Throughout both their own websites and some they compromised, the attackers embedded links to the exploit kit within hidden iframes.

It focuses on fingerprinting the target system with heavily obfuscated javascript. An exploitation script gathers and sends back information about the client, such as the user-agent and resolution.

The Javascript would then request the next phase, called SBX (for Sandbox Escape) if RCE had been successful.

Domains & Websites Used by Hackers

Here below we have mentioned all the fake domains used by the threat actors:-

  • disneycareers[.]net
  • find-dreamjob[.]com
  • indeedus[.]org
  • varietyjob[.]com
  • ziprecruiters[.]org
  • blockchainnews[.]vip
  • chainnews-star[.]com
  • financialtimes365[.]com
  • fireblocks[.]vip
  • gatexpiring[.]com
  • gbclabs[.]com
  • giantblock[.]org
  • humingbot[.]io
  • onlynova[.]org
  • teenbeanjs[.]com

Safeguards used by Hackers

In an effort to prevent security teams from recovering the stages of their exploit, the attackers used multiple safeguards to prevent them from recovering their exploits.

Here below we have mentioned all the safeguards used by the hackers:-

  • It appears they only served the frame during designated times, possibly when they knew their target was going to visit the website.
  • During some email campaigns, the recipients received unique links and IDs.
  • With a session-specific key, the exploit kit encrypts each stage, including the clients’ responses.
  • If the previous stage failed, no further stages would be served.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.