2022-03-29

Google TAG Identifies Threats from North Korea

Level: 
Strategic
  |  Source: 
Google TAG
Financial
Information & Technology
Share:

Google TAG Identifies Threats from North Korea

Industry: Financial Services, Cryptocurrency, Information Technology, Media | Level: Strategic | Source: Google TAG

Research from Google's Threat Analysis Group (TAG) has been tracking activity from two North Korean threat groups, since February 10th. The associated threat campaigns are named publicly as "Operation Dream Job" (active since at least June 2020) and "Operation AppleJeus" (active since 2018), as the lures utilize employment themes. The two campaigns target different industries; "Operation Dream Job" has been observed targeting media and technology (hosting providers and software companies), and "Operation AppleJeus" targets financial services, specifically cryptocurrency and fintech organizations. The tactics, techniques and procedures, utilized by both campaigns, leverage the same exploit kit involving a Google Chrome remote code execution (RCE) vulnerability - CVE-2022-0609. The phishing site utilizes an iframe conducting system checks on the victim collecting requirements needed for the RCE exploit to be successful and in addition, a javascript could escape Chrome's sandbox protection. In order to evade security researchers, the attackers were cautious in their campaign, as they only served the iframe during specific times, to implement a one-time-click policy and ensured exploits would only work if requirements were met.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now