Google's Threat Analysis Group announced on Thursday that it had discovered a pair of North Korean hacking cadres going by the monikers Operation Dream Job and Operation AppleJeus in February that were leveraging a remote code execution exploit in the Chrome web browser.
The blackhatters reportedly targeted the US news media, IT, crypto and fintech industries, with evidence of their attacks going back as far as January 4th, 2022, though the Threat Analysis Group notes that organizations outside the US could have been targets as well.
"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," the Google team wrote on Thursday. "It is possible that other North Korean government-backed attackers have access to the same exploit kit."
Operation Dream Job targeted 250 people across 10 companies with fraudulent job offers from the likes of Disney and Oracle sent from accounts spoofed to look like they came from Indeed or ZipRecruiter. Clicking on the link would launch a hidden iframe that would trigger the exploit.
Operation AppleJeus, on the other hand targeted more than 85 users in the cryptocurrency and fintech industries using the same exploit kit. That effort involved "compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors," Google's security researchers found. "In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit."
"The kit initially serves some heavily obfuscated javascript used to fingerprint the target system," the team said. "This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as 'SBX,' a common acronym for Sandbox Escape."
The Google security group discovered the activity on February 10th and had patched it by February 14th. The company has added all identified websites and domains to its Safe Browsing database as well as notified all of the targeted Gmail and Workspace users about the attempts.