On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.

We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

In this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and analyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these details 30 days after the patch release.

Campaign targeting news media and IT companies

The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.

Attacker-Owned Fake Job Domains:

• disneycareers[.]net
• find-dreamjob[.]com
• indeedus[.]org
• varietyjob[.]com
• ziprecruiters[.]org

Exploitation URLs:

• https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
• https[:]//varietyjob[.]com/sitemap/sitemap.asp

Campaign targeting cryptocurrency and Fintech organizations

Another North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.

Attacker-Owned Websites:

• blockchainnews[.]vip
• chainnews-star[.]com
• financialtimes365[.]com
• fireblocks[.]vip
• gatexpiring[.]com
• gbclabs[.]com
• giantblock[.]org
• humingbot[.]io
• onlynova[.]org
• teenbeanjs[.]com

Compromised Websites (Feb 7 - Feb 9):

• www.options-it[.]com
• www.tradingtechnologies[.]com

Exploitation URLs:

• https[:]//financialtimes365[.]com/user/finance.asp
• https[:]//gatexpiring[.]com/gate/index.asp
• https[:]//humingbot[.]io/cdn/js.asp
• https[:]//teenbeanjs[.]com/cloud/javascript.asp

Exploit kit overview

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

• Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
• In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
• The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
• Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

Example Exploit Kit:

• 03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685

The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from these activities. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

In January, the Threat Analysis Group documented a hacking campaign, which we were able to attribute to a North Korean government-backed entity, targeting security researchers. On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called “SecuriElite.”

The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits. Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page. In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.

The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action. 

At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.

Following our January blog post, security researchers successfully identified these actors using an Internet Explorer 0-day. Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days. We encourage anyone who discovers a Chrome vulnerability to report that activity through the Chrome Vulnerabilities Rewards Program submission process.

Actor controlled sites and accounts

Fake Security Company Website:

• www.securielite[.]com
  

• https://twitter.com/alexjoe9983
• https://twitter.com/BenH3mmings
• https://twitter.com/chape2002
• https://twitter.com/julia0235
• https://twitter.com/lookworld0821
• https://twitter.com/osm4nd
• https://twitter.com/seb_lazar
• https://twitter.com/securielite

LinkedIn Profiles:

• SecuriElite - https://www.linkedin.com/company/securielite/
• Carter Edwards, HR Director @ Trend Macro - https://www.linkedin.com/in/carter-edwards-a99138204/
• Colton Perry, Security Researcher - https://www.linkedin.com/in/colton-perry-6a8059204/
• Evely Burton, Technical Recruiter @ Malwarebytes - https://www.linkedin.com/in/evely-burton-204b29207/
• Osman Demir, CEO @ SecuriElite - https://www.linkedin.com/in/osman-demir-307520209/
• Piper Webster, Security Researcher - https://www.linkedin.com/in/piper-webster-192676203/
• Sebastian Lazarescue, Security Researcher @ SecuriElite - https://www.linkedin.com/in/sebastian-lazarescue-456840209/

Email:

• [email protected]
• [email protected]
• [email protected]

Attacker Owned Domains:

• bestwing[.]org
• codebiogblog[.]com
• coldpacific[.]com
• cutesaucepuppy[.]com
• devguardmap[.]org
• hireproplus[.]com
• hotelboard[.]org
• mediterraneanroom[.]org
• redeastbay[.]com
• regclassboard[.]com
• securielite[.]com
• spotchannel02[.]com
• wileprefgurad[.]net

Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.

In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.

Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.

While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video.”

Security researcher targeting

The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.

In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.

These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email. We are providing a list of known accounts and aliases below. If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems for the IOCs provided below. To date, we have only seen these actors targeting Windows systems as a part of this campaign.

If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.

Actor controlled sites and accounts

• https://blog.br0vvnn[.]io

• https://twitter.com/br0vvnn
  
• https://twitter.com/BrownSec3Labs
  
• https://twitter.com/dev0exp
  
• https://twitter.com/djokovic808
  
• https://twitter.com/henya290 
  
• https://twitter.com/james0x40
  
• https://twitter.com/m5t0r
  
• https://twitter.com/mvp4p3r
  
• https://twitter.com/tjrim91
  
• https://twitter.com/z0x55g
  

• https://www.linkedin.com/in/billy-brown-a6678b1b8/
  
• https://www.linkedin.com/in/guo-zhang-b152721bb/
  
• https://www.linkedin.com/in/hyungwoo-lee-6985501b9/
  
• https://www.linkedin.com/in/linshuang-li-aa696391bb/
  
• https://www.linkedin.com/in/rimmer-trajan-2806b21bb/

• https://keybase.io/zhangguo
  

• https://t.me/james50d
  

• https://www.virustotal.com/gui/file/4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244/detection (VS Project DLL)
  
• https://www.virustotal.com/gui/file/68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7/detection (VS Project DLL)
  
• https://www.virustotal.com/gui/file/25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc/detection (VS Project Dropped DLL)
  
• https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection (VS Project Dropped DLL)
  
• https://www.virustotal.com/gui/file/a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15/detection (Service DLL)
  

• angeldonationblog[.]com
  
• codevexillium[.]org
  
• investbooking[.]de
  
• krakenfolio[.]com
  
• opsonew3org[.]sg
  
• transferwiser[.]io
  
• transplugin[.]io
  

• trophylab[.]com
  
• www.colasprint[.]com
  
• www.dronerc[.]it
  
• www.edujikim[.]com
  
• www.fabioluciani[.]com
  

• https[:]//angeldonationblog[.]com/image/upload/upload.php
  
• https[:]//codevexillium[.]org/image/download/download.asp
  
• https[:]//investbooking[.]de/upload/upload.asp
  
• https[:]//transplugin[.]io/upload/upload.asp
  
• https[:]//www.dronerc[.]it/forum/uploads/index.php
  
• https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php
  
• https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php
  
• https[:]//www.edujikim[.]com/intro/blue/insert.asp
  
• https[:]//www.fabioluciani[.]com/es/include/include.asp
  
• http[:]//trophylab[.]com/notice/images/renewal/upload.asp
  
• http[:]//www.colasprint[.]com/_vti_log/upload.asp
  

Host IOCs

• Registry Keys

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update 

• File Paths

• C:\Windows\System32\Nwsapagent.sys

• C:\Windows\System32\helpsvc.sys

• C:\ProgramData\USOShared\uso.bin

• C:\ProgramData\VMware\vmnat-update.bin

• C:\ProgramData\VirtualBox\update.bin