Lucene search

K
hiveproHive ProHIVEPRO:D7EA1CB0468E749402CDC827EECBB9DE
HistoryMar 25, 2022 - 2:16 p.m.

North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability

2022-03-2514:16:43
Hive Pro
www.hivepro.com
205
north korean
lazarus group
chrome
zero-day
vulnerability
exploit
phishing
malware
remote code execution
united states
news media
information technology
cryptocurrency
finance
exploit kit
mitre ttps
hack
sandbox bypass
attack
firms
industries
campaign
recruiters
disney
google
oracle
employment
phishing emails
drive-by
browser
malicious urls
mitre tactics
impact
collection
defense evasion
persistence
command and control
resource development
execution
lateral movement
credential access
privilege escalation
exfiltration
access token manipulation
account manipulation
infrastructure
web services
application layer protocol
application window discovery
data destruction
data encoding
data obfuscation
defacement
disk wipe
drive-by compromise
encrypted channel
exfiltration over c2 channel
exploitation for client execution
file and directory discovery
hide artifacts
impair defenses
indicator removal on host
ingress tool transfer
input capture
masquerading
non-standard port
phishing
process injection
proxy
query registry
remote services
service stop
signed binary proxy execution
system information discovery
system network configuration

EPSS

0.041

Percentile

92.2%

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here For more than a month before a fix was available, North Korean state hackers known as Lazarus group exploited a zero-day, remote code execution vulnerability (CVE-2022-0609) in Google Chrome's web browser. The attack mainly targets firms situated in the United States, particularly those in the industries of news media, information technology, cryptocurrency, and finance. However, other organizations and countries are also on the list of attackers. The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system. The Mitre TTPs commonly used by Lazarus Group are: TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0009: CollectionTA0005: Defense EvasionTA0003: PersistenceTA0011: Command and ControlTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementTA0006: Credential AccessTA0029: Privilege EscalationTA0010: ExfiltrationT1134.002: Access Token Manipulation: Create Process with TokenT1098: Account ManipulationT1583.001: Acquire Infrastructure: DomainsT1583.006: Acquire Infrastructure: Web ServicesT1071.001: Application Layer Protocol: Web ProtocolsT1010: Application Window DiscoveryT1560: Archive Collected DataT1560.002: Archive via LibraryT1560.003: Archive via Custom MethodT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.009: Boot or Logon Autostart Execution: Shortcut ModificationT1110.003: Brute Force: Password SprayingT1059.003: Command and Scripting Interpreter: Windows Command ShellT1543.003: Create or Modify System Process: Windows ServiceT1485: Data DestructionT1132.001: Data Encoding: Standard EncodingT1005: Data from Local SystemT1001.003: Data Obfuscation: Protocol ImpersonationT1074.001: Data Staged: Local Data StagingT1491.001: Defacement: Internal DefacementT1587.001: Develop Capabilities: MalwareT1561.001: Disk Wipe: Disk Content WipeT1561.002: Disk Wipe: Disk Structure WipeT1189: Drive-by CompromiseT1573.001: Encrypted Channel: Symmetric CryptographyT1048.003: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolT1041: Exfiltration Over C2 ChannelT1203: Exploitation for Client ExecutionT1008: Fallback ChannelsT1083: File and Directory DiscoveryT1564.001: Hide Artifacts: Hidden Files and DirectoriesT1562.001: Impair Defenses: Disable or Modify ToolsT1562.004: Impair Defenses: Disable or Modify System FirewallT1070.004: Indicator Removal on Host: File DeletionT1070.006: Indicator Removal on Host: TimestompT1105: Ingress Tool TransferT1056.001: Input Capture: KeyloggingT1036.005: Masquerading: Match Legitimate Name or LocationT1571: Non-Standard PortT1027: Obfuscated Files or InformationT1588.004: Obtain Capabilities: Digital CertificatesT1566.001: Phishing: Spearphishing AttachmentT1542.003: Pre-OS Boot: BootkitT1057: Process DiscoveryT1055.001: Process Injection: Dynamic-link Library InjectionT1090.002: Proxy: External ProxyT1012: Query RegistryT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1489: Service StopT1218.001: Signed Binary Proxy Execution: Compiled HTML FileT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1529: System Shutdown/RebootT1124: System Time DiscoveryT1204.002: User Execution: Malicious FileT1047: Windows Management Instrumentation Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch https://www.google.com/intl/en/chrome/?standalone=1 References https://blog.google/threat-analysis-group/countering-threats-north-korea/