Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Chrome 78.0.3904.87 for Windows, macOS and Linux patches two vulnerabilities. One of them is CVE-2019-13720, which Google has described as a high-severity use-after-free bug in the browser’s audio component. The tech giant says it’s aware of reports that the security flaw has been exploited in the wild.

The issue was reported to Google on October 29 by researchers from Kaspersky and it was patched quickly. The company says the update containing the fix should reach users in the coming days or weeks.

According to Kaspersky, the zero-day has been exploited in a campaign dubbed Operation WizardOpium. The company says it has not found any evidence that would allow it to confidently link the operation to a known threat actor.

However, some “very weak code similarities” suggest a possible connection to the Lazarus Group, a threat actor linked to North Korea. On the other hand, researchers believe these code similarities could be false flags meant to make attribution more difficult.

Kaspersky says one of the websites targeted by the hackers reminds of earlier attacks attributed to DarkHotel, a threat group that has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea.

“The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,” Kaspersky said in a blog post.

According to the cybersecurity firm, the attackers compromised a Korean-language news website as part of a watering hole attack and abused it to deliver malware via the Chrome zero-day. The compromised website loads scripts designed to check visitors’ browser and operating system to determine if the Chrome vulnerability can be exploited for arbitrary code execution.

If the exploit is successful, an encrypted payload disguised as a harmless .jpg file is delivered to the victim. The payload is then decrypted and an executable file is dropped and run.

Kaspersky has only shared limited information about the malware, but revealed that it leverages the Windows Task Scheduler for persistence and its main module is designed to download other modules from a command and control (C&C) server.

In addition to the zero-day, the latest Chrome update fixes CVE-2019-13721, a high-severity use-after-free issue in the PDFium component. This vulnerability was reported to Google by a researcher who uses the online moniker banananapenguin on October 12 and it earned the hacker a $7,500 bounty.

CVE-2019-13720 is the second Chrome zero-day patched by Google this year. The first was CVE-2019-5786, which malicious actors exploited alongside a Windows zero-day.

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Related: Google Discloses Actively Exploited Windows Vulnerability

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones