Google confirmed that they had patched a serious Chrome browser vulnerability used by North Korean hackers to spy on and take over victims’ devices. According to Google, however, Chrome was not the only target as other platforms such as Safari and Firefox are also being directed to specific links on known exploitation servers.

The Chrome zero-day vulnerability CVE-2022-0609 is a use-after-free bug in Google’s browser that allows placing malicious code inside vulnerable memory locations and executing the code remotely. It was being used in the wild as early as January 4, 2022, by two separate North Korean government-sponsored cybercrime units called Operation Dream Job and Operation AppleJeus.

Operation Dream Job targeted individuals working at major news organizations, domain registrars, hosting providers, and software vendors.  Using company names like Disney, Oracle, and Google, the hackers used job-seeking emails to bring targets to lookalike domains that imitated Indeed, ZipRecruiter, or DisneyCareers.  These imposter websites would install the malware via exploits written into iframes.

Operation AppleJeus focused attacks on the financial sector targeting at least 85 individuals connected to various cryptocurrency platforms. The hackers redirect users to compromised websites where an exploit script was executed on the victims’ device utilizing the Chrome flaw to install remote access malware. North Korean hackers are responsible for the theft of $620 million in Ethereum cryptocurrency, according to a March 28th FBI report. In 2021 alone, North Korea was responsible for over $400 million in cryptocurrency theft.