arstechnica.com Open in urlscan Pro
3.19.102.83  Public Scan

Form analysis
2 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

POST https://arstechnica.com/civis/ucp.php?mode=login

<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
  <input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
  <input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
  <input type="submit" value="Submit" class="button button-orange button-wide" name="login">
  <label id="remember-label">
    <input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword">Having trouble?</a>
  <input type="hidden" name="redirect" value="./ucp.php?mode=login&amp;autoredirect=1&amp;return_to=%2Finformation-technology%2F2022%2F03%2Fnorth-korean-hackers-unleashed-chrome-0-day-exploit-on-hundreds-of-us-targets%2F">
  <input type="hidden" name="return_to" value="/information-technology/2022/03/north-korean-hackers-unleashed-chrome-0-day-exploit-on-hundreds-of-us-targets/">
  <input type="hidden" name="from_homepage" value="1">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

Black on white

White on black

Sign in


COMMENT ACTIVITY

Sign up or login to join the discussions!

Stay logged in | Having trouble?
Sign up to comment and more Sign up

EXPLOIT AUTOPSY —


NORTH KOREAN HACKERS UNLEASHED CHROME 0-DAY EXPLOIT ON HUNDREDS OF US TARGETS


CRITICAL VULNERABILITY EXPLOITED BY 2 GROUPS BOTH WORKING FOR THE NORTH KOREAN
GOVERNMENT.

Dan Goodin - 3/24/2022, 9:20 PM

Enlarge
Getty Images

READER COMMENTS

38 with 34 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Hackers backed by North Korea's government exploited a critical Chrome zero-day
in an attempt to infect the computers of hundreds of people working in a wide
range of industries, including the news media, IT, cryptocurrency, and financial
services, Google said Thursday.

The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean
hacking groups. Both groups deployed the same exploit kit on websites that
either belonged to legitimate organizations and were hacked or were set up for
the express purpose of serving attack code on unsuspecting visitors. One group
was dubbed Operation Dream Job, and it targeted more than 250 people working for
10 different companies. The other group, known as AppleJeus, targeted 85 users.


DREAM JOBS AND CRYPTOCURRENCY RICHES

"We suspect that these groups work for the same entity with a shared supply
chain, hence the use of the same exploit kit, but each operate with a different
mission set and deploy different techniques," Adam Weidemann, a researcher on
Google's threat analysis group, wrote in a post. "It is possible that other
North Korean government-backed attackers have access to the same exploit kit."

Operation Dream Job has been active since at least June 2020, when researchers
at security firm ClearSky observed the group targeting defense and governmental
companies. Bad guys targeted specific employees in the organizations with fake
offers of a "dream job" with companies such as Boeing, McDonnell Douglas, and
BAE. The hackers devised an elaborate social-engineering campaign that used
fictitious LinkedIn profiles, emails, WhatsApp messages, and phone calls. The
goal of the campaign was both to steal money and collect intelligence.




FURTHER READING

Newly discovered Mac malware uses “fileless” technique to remain stealthy
AppleJeus, meanwhile, dates back to at least 2018. That's when researchers from
security firm Kaspersky saw North Korean hackers targeting a cryptocurrency
exchange using malware that posed as a cryptocurrency trading application.




FURTHER READING

Newly discovered Mac malware uses “fileless” technique to remain stealthy
The AppleJeus operation was notable for its use of a malicious app that was
written for macOS, which company researchers said was probably the first time an
APT—short for government-backed "advanced persistent threat group"—used malware
to target that platform. Also noteworthy was the group's use of malware that ran
solely in memory without writing a file to the hard drive, an advanced feature
that makes detection much harder.



Advertisement



FURTHER READING

Stealing advanced nations’ Mac malware isn’t hard. Here’s how one hacker did it
One of the two groups (Weidemann didn't say which one) also used some of the
same control servers to infect security researchers last year. The campaign used
fictitious Twitter personas to develop relationships with the researchers. Once
a level of trust was established, the hackers used either an Internet Explorer
zero-day or a malicious Visual Studio project that purportedly contained source
code for a proof-of-concept exploit.

In February, Google researchers learned of a critical vulnerability being
exploited in Chrome. Company engineers fixed the vulnerability and gave it the
designation CVE-2022-0609. On Thursday, the company provided more details about
the vulnerability and how the two North Korean hackers exploited it.

Operation Dream Job sent targets emails that purported to come from job
recruiters working for Disney, Google, and Oracle. Links embedded into the email
spoofed legitimate job hunting sites such as Indeed and ZipRecruiter. The sites
contained an iframe that triggered the exploit.

Here's an example of one of the pages used:

Google

Members of Operation AppleJeus compromised the websites of at least two
legitimate financial services companies and a variety of ad hoc sites pushing
malicious cryptocurrency apps. Like the Dream Job sites, the sites used by
AppleJeus also contained iframes that triggered the exploit.

A fake app pushed in Operation AppleJeus


IS THERE A SANDBOX ESCAPE IN THIS KIT?

The exploit kit was written in a way to carefully conceal the attack by, among
other things, disguising the exploit code and triggering remote code execution
only in select cases. The kit also appears to have used a separate exploit to
break out of the Chrome security sandbox. The Google researchers were unable to
determine that escape code, leaving open the possibility that the vulnerability
it exploited has yet to be patched.

Page: 1 2 Next →


ARS VIDEO


UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO





READER COMMENTS

38 with 34 posters participating

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012
after working for The Register, the Associated Press, Bloomberg News, and other
publications.
Email dan.goodin@arstechnica.com // Twitter @dangoodin001

Advertisement


You must login or create an account to comment.




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

Sponsored Stories
Shop Now
Kids Will Love This! The Most Fun Toy Of 2022 voklet
IT Departments Shift to ZTNA - How About Yours ? Perimeter 81
Wie viel kostet ein kompletter Satz Zahnimplantate? Zahnimplantate | Gesponserte
Links
23 People Who Ended Up Marrying Their Celebrity Crush POPSUGAR
We Finally Know Which European Country is the Worst Far & Wide
We Will Guess Your Education Level in 20 Questions TooCool2BeTrue
Recommended by



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox.

Sign me up →

CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices






WE CARE ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes