skip to Main Content

Cybercrime, an APT launched zero-day attack thanks to a Google’s Chrome flaw

Kaspersky: An APT exploited a Google’s Chrome vulnerability to launch zero-day attack. The campaign has been dubbed as Operation WizardOpium. The profile of the targeted website is in line with earlier DarkHotel attacks

A new vulnerability for Google’s Chrome browser has been used in zero-day attacks. It has been discovered by Kaspersky cyber security experts who dubbed the cyber offensive as Operation WizardOpium. So far, they have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with North Korea’s Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks, that have recently deployed similar false flag attacks. It was a targeted spear-phishing spyware and malware-spreading campaign that appeared to be selectively attacking business hotel visitors through the hotel’s in-house WiFi network. The attacks were specifically targeted at senior company executives, using forged digital certificates, generated by factoring the underlying weak public keys of real certificates, to convince victims that prompted software downloads are valid.

The cyber security experts explain how cybercrime exploited the Google’s flaw to hit

Kaspersky, once discovered the exploit, reported it to the Google Chrome cyber security team. After reviewing of the PoC the researchers provided, the company confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Then, Google released Chrome version 78.0.3904.87 for Windows, Mac, and Linux to solve the issue. The APT attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn, loads a profiling script from a remote site. The final payload is downloaded as an encrypted binary that is decrypted by the shellcode. After decryption, the cybercrime malware module is dropped as updata.exe to disk and executed. For persistence, the malware installs tasks in Windows Task Scheduler.

Back To Top