Google details North Korean attacker groups targeting news media, IT and fintech cos

Google's Threat Analysis Group (TAG) shared its findings from the latest research on two distinct North Korean government-backed attacker groups targeting U.S. based news media, IT, cryptocurrency and fintech companies.

In a blog post by Adam Weidemann, Threat Analysis Group, on Feb. 10, they discovered the two groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. The vulnerability was patched on February 14.

The attackers' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.

The victims received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities, which contained links spoofing legitimate job-hunting websites like Indeed and ZipRecruiter. Clicking on the links would serve them a hidden iframe that would trigger the exploit kit.

The other group, consistent with Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, fake websites were set up to distribute trojanized cryptocurrency applications - hosting iframes and pointing their visitors to the exploit kit.

According to Google's TAG, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. More details can be found here.

While the vulnerability was patched on February 14, the threat actors made multiple attempts to use the exploit days after the exploit was patched. This highlights the importance of applying security updates as soon as they are released.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit," TAG wrote in the post.