Security Experts:

Connect with us

Hi, what are you looking for?



Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Chrome 78.0.3904.87 for Windows, macOS and Linux patches two vulnerabilities. One of them is CVE-2019-13720, which Google has described as a high-severity use-after-free bug in the browser’s audio component. The tech giant says it’s aware of reports that the security flaw has been exploited in the wild.

The issue was reported to Google on October 29 by researchers from Kaspersky and it was patched quickly. The company says the update containing the fix should reach users in the coming days or weeks.

According to Kaspersky, the zero-day has been exploited in a campaign dubbed Operation WizardOpium. The company says it has not found any evidence that would allow it to confidently link the operation to a known threat actor.

However, some “very weak code similarities” suggest a possible connection to the Lazarus Group, a threat actor linked to North Korea. On the other hand, researchers believe these code similarities could be false flags meant to make attribution more difficult.

Kaspersky says one of the websites targeted by the hackers reminds of earlier attacks attributed to DarkHotel, a threat group that has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea.

“The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,” Kaspersky said in a blog post.

According to the cybersecurity firm, the attackers compromised a Korean-language news website as part of a watering hole attack and abused it to deliver malware via the Chrome zero-day. The compromised website loads scripts designed to check visitors’ browser and operating system to determine if the Chrome vulnerability can be exploited for arbitrary code execution.

If the exploit is successful, an encrypted payload disguised as a harmless .jpg file is delivered to the victim. The payload is then decrypted and an executable file is dropped and run.

Kaspersky has only shared limited information about the malware, but revealed that it leverages the Windows Task Scheduler for persistence and its main module is designed to download other modules from a command and control (C&C) server.

In addition to the zero-day, the latest Chrome update fixes CVE-2019-13721, a high-severity use-after-free issue in the PDFium component. This vulnerability was reported to Google by a researcher who uses the online moniker banananapenguin on October 12 and it earned the hacker a $7,500 bounty.

CVE-2019-13720 is the second Chrome zero-day patched by Google this year. The first was CVE-2019-5786, which malicious actors exploited alongside a Windows zero-day.

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Related: Google Discloses Actively Exploited Windows Vulnerability

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.