Both Microsoft and Google have released software updates yesterday to fix some security vulnerabilities, including a zero-day vulnerability that has been exploited in the wild. These zero-day vulnerabilities were discovered by Kaspersky but have been exploited by advanced hacker groups. Hackers can use these vulnerabilities to install spyware directly on their targets.
After tracing the source, Kaspersky pointed out that the attacker cannot be attributed to any particular attacker, but some of the code used by the attacker is similar to the Lazarus group. The Lazarus Group is the creator of the well-known ransomware WannaCry, and the group is also regarded by the security company as a national-level hacker team funded by North Korea.
Kaspersky’s investigation revealed that the original attacker used a vulnerability in a Korean news website to embed a malicious script that was loaded when a user browsed the site. The code in this malicious script is specifically for Google Chrome. The vulnerability exploited by the hacker is a zero-day vulnerability that Google officials have not previously discovered. After the malicious script is loaded, it will call the Win32K security vulnerability to download and install the malware. The malware will automatically connect to the remote server to obtain instructions. In other words, the main user will be infected with malware when browsing this Korean language website. During this period, the user does not need to perform any interaction to complete the attack.
After tracing and analyzing, Kaspersky said that there is no firm evidence to correlate the attack with any known advanced persistent threat group. However, the relevant code used by the attackers has very weak similarities with the Lazarus clique, which indicates that the potential attack group may be the well-known Lazarus clique. The Lazarus Group has launched several well-known cyberattacks, including the WannaCry ransomware, the National Bank of Bangladesh theft case, and the Far East Bank theft case. The group was also confirmed to be a state-level hacking organization funded by North Korea. The carrier of this attack was a Korean news site, meaning that the main target was Korean users. Therefore, according to common sense speculation, this attack is very likely to be launched by Lazarus, but Kaspersky said that there is not enough sufficient evidence for the time being. Kaspersky believes that the relevant attack code has very weak similarity to the Lazarus group. It may also be that other attackers are trying to turn their attention to Lazarus.