North Korean hackers targeted fintech and media with Chrome Zero Day exploit

State-sponsored attackers attacked targets with fake emails and spoofed websites

One of the most alarming terms in computer security is the “zero-day exploit”. This label has some weight behind it for good reason, referring to a pretty scary situation where an attacker knows of a major flaw or bug hidden in software – in this case a browser – for which there is not yet patch available. Hackers love them, and now a new report from Google’s Threat Analysis Group (TAG) describes how a state-sponsored hacking gang based in North Korea exploited such a zero day in Chrome.

TAG shares that between January and February 2022, North Korean hackers were all on zero day in Google Chrome, which allowed them to execute code on target machines. Before the exploit was patched, North Koreans used it to compromise the computers of various media and fintech companies. Researchers have attributed the CVE-2022-0609 vulnerability and TAG describes it as “use after release in Animation”. Two separate but likely related groups have used Day Zero and given the entertaining and disarming nicknames Operation Dream Job and Operation AppleGames.


According to TAG, Operation Dream Job went after the media, domain registrars, software providers and web hosts – up to 250 individual targets with ten different organizations. Hackers would send fake recruitment emails claiming to be from Disney, Google and Oracle. While the emails appeared to come from or ZipRecruiter, they were actually linked to spoofed versions of those sites. Ideally – for hackers, that is – a brand would click through to the spoofed site, where a hidden iframe (an HTML page nested within another) would trigger the malware intended to exploit the vulnerability. Operation AppleJeus attacked cryptocurrency and fintech companies, up to 85 people in total, using the same malicious software toolkit. In addition to fake sites used to generate infections, at least two legitimate sites were also compromised and used to spread this attack.

As to how these attacks worked and what data was exfiltrated for later malicious use, TAG doesn’t have many details to share, as the hackers were careful to obscure their tracks at so many points along the path – although spoofed crypto sites did. reveal what TAG describes as trojanized cryptocurrency apps, and these are also often used to steal financial data and tokens.

TAG researchers were able to determine that hackers were not only targeting Chrome, but also luring Safari and Firefox users to malicious links. And unfortunately for anyone who fell prey to these attacks, they happened for over a month, from January 4, 2022 to February 14, before a fix was finally rolled out.

Image of Hell's Kitchen on YouTube

YouTube is adding thousands of free ad-supported TV episodes for you to binge

Read more

About the Author

Comments are closed.