Google TAG Identifies Threats from North Korea
Google TAG Identifies Threats from North Korea
Research from Google's Threat Analysis Group (TAG) has been tracking activity from two North Korean threat groups, since February 10th. The associated threat campaigns are named publicly as "Operation Dream Job" (active since at least June 2020) and "Operation AppleJeus" (active since 2018), as the lures utilize employment themes. The two campaigns target different industries; "Operation Dream Job" has been observed targeting media and technology (hosting providers and software companies), and "Operation AppleJeus" targets financial services, specifically cryptocurrency and fintech organizations. The tactics, techniques and procedures, utilized by both campaigns, leverage the same exploit kit involving a Google Chrome remote code execution (RCE) vulnerability - CVE-2022-0609. The phishing site utilizes an iframe conducting system checks on the victim collecting requirements needed for the RCE exploit to be successful and in addition, a javascript could escape Chrome's sandbox protection. In order to evade security researchers, the attackers were cautious in their campaign, as they only served the iframe during specific times, to implement a one-time-click policy and ensured exploits would only work if requirements were met.