KEEPNET LABS > Blog > North Korean Hackers Took Advantage of a Chrome zero-day Vulnerability Before the Patch Was Released

North Korean Hackers Took Advantage of a Chrome zero-day Vulnerability Before the Patch Was Released

Google’s Threat Analysis Group (TAG) said that hacker groups have exploited the Remote Code Execution (RCE) vulnerability that is being monitored in Chrome.

Two North Korean hacker groups have been banned by Google from using a zero-day bug in Chrome. The fixes were released by Google in February, but the exploit has already been launched.

After discovering this incident in February, the US Cybersecurity and Infrastructure Security Agency (CISA) authorized all government agencies to immediately fix this zero-day bug in Chrome.


In Addition to this exploit, North Korean hacker groups have also used the SWIFT attack on the international banking messaging system of Swift, which is linked to the North Korean hacker group Lazarus, which is believed to have hacked Sony Pictures.

According to the “Dream Job” operation, the campaigns followed by Google Tag targeted US-based organizations:

  • News media,
  • Cryptocurrency,
  • Technology industry,
  • Domain name registrars,
  • Web hosting providers,
  • Software vendors.

Posted vacancy fake e-mail the objectives, that IS, claim, they are employers, the following well-known multinational companies:

  • Disney,
  • Google,
  • Oracle.

Adam Weidemann said: “We think that the common supply chain of these groups, therefore, they use the same set of exploits, but with different settings applied different methods of mission and each employee. It is entirely possible that other attackers supported by the North Korean government may have had access to the same exploits.”

Exploitation Toolkit

In order to exploit the target users, the attackers used a set of exploits consisting of several components and stages. Both on their own websites and on some that they have seized, attackers have added links to the set of exploits in hidden iframes. It focuses on taking fingerprints from the target system using heavily implicit javascript.

It collects and sends customer information such as exploitation scenarios, user agents, and permission. Then Javascript will prompt for the next step called SBX (to exit the sandbox) if Rce is successful. Below we have listed all the fake domains used by threat actors:

  • disneycareers[.]net
  • find-dreamjob[.]com
  • indeedus[.]org
  • varietyjob[.]com
  • ziprecruiters[.]org
  • blockchainnews[.]vip
  • chainnews-star[.]com
  • financialtimes365[.]com
  • fireblocks[.]vip
  • gatexpiring[.]com
  • gbclabs[.]com
  • giantblock[.]org
  • humingbot[.]ioonlynova[.]org

Hackers’ Security Measures

In order to prevent security teams from retrieving the phases of their exploit, the attackers implemented a number of precautions. We have listed all of the safeguards utilized by hackers below:

  • It appears that the frame was only served at specific times, presumably when they knew their target would visit the page.
  • The recipients of some email campaigns received unique links and IDs.
  • The exploit kit encrypts each stage, including the clients’ answers, using a session-specific key.
  • No future stages would be served if the previous stage failed.

Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.