Weekly Round-Up Chrome Zero-Day
Daily Round of IOC
Daily dump of IOC with more to follow where a regular IOC feed will be crafted.
North Koren Hackers spotted sharing Chome Zero-day
A blog article was posted today illustrating Malware hunters at Google have spotted the North Korean hackers are sharing zero-day browser exploits.
The Chrome vulnerability in question – CVE-2022-0609 – was patched by Google last month.
The two groups, though separate, used the same exploit kit in their campaigns, which signals that they may work for the same entity with a shared supply chain. However, “each operate with a different mission set and deploy different techniques,” Weidemann said. It’s also possible that other North Korean government-backed attackers have access to the same kit, he added.
Two Campaigns, One Exploit
Researchers revealed specific details about both Operation Dream Job and Operation AppleJeus in the post. The former targeted more than 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors
Summary of CVE from last month which should be addressed already!!
CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risks to the federal enterprise.
| CVE Number | CVE Title | Remediation Due Date |
| CVE-2022-24086 | Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability | 3/1/2022 |
| CVE-2022-0609 | Google Chrome Use-After-Free Vulnerability | 3/1/2022 |
| CVE-2019-0752 | Microsoft Internet Explorer Type Confusion Vulnerability | 8/15/2022 |
| CVE-2018-8174 | Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability | 8/15/2022 |
| CVE-2018-20250 | WinRAR Absolute Path Traversal Vulnerability | 8/15/2022 |
| CVE-2018-15982 | Adobe Flash Player Use-After-Free Vulnerability | 8/15/2022 |
| CVE-2017-9841 | PHPUnit Command Injection Vulnerability | 8/15/2022 |
| CVE-2014-1761 | Microsoft Word Memory Corruption Vulnerability | 8/15/2022 |
| CVE-2013-3906 | Microsoft Graphics Component Memory Corruption Vulnerability | 8/15/2022 |
Vidar infection in March 2022.
Today’s diary reviews Vidar and two additional variants: Oski Stealer and Mars Stealer based on analysis of their infection traffic.
Legitimate files used by Vidar, Oski, & Mars Stealer
During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration. These files are not malicious, but they are used by the Vidar malware binary.
- freebl3.dll (DLL for Thunderbird)
- mozglue.dll (DLL for Thunderbird)
- msvcp140.dll (Microsoft C runtime library)
- nss3.dll (DLL for Thunderbird)
- softokn3.dll (DLL for Thunderbird)
- vcruntime140.dll (Microsoft C runtime library)
To the above list, Oski Stealer and Mars Stealer add another legitimate DLL:
- sqlite3.dll (used for SQLite operations)
Indicators of Compromise (IOCs)
Below are the three malware samples used for today’s diary:
- b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180 (Vidar)
- c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce (Oski Stealer)
- 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625 (Mars Stealer)
Below are C2 domains used by the above samples:
- 104.200.67[.]209 port 80 – dersed[.]com – Vidar C2 in September 2019
- 2.56.57[.]108 port 80 – 2.56.57[.]108 – Oski Stealer C2 in January 2022
- 5.63.155[.]126 port 80 – sughicent[.]com – Mars Stealer C2 in March 2022
References
- Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
- Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer
- Like Father Like Son? New Mars Stealer
- https://threatpost.com/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/