Weekly Round-Up Chrome Zero-Day

Daily Round of IOC

Daily dump of IOC with more to follow where a regular IOC feed will be crafted.

North Koren Hackers spotted sharing Chome Zero-day

A blog article was posted today illustrating Malware hunters at Google have spotted the North Korean hackers are sharing zero-day browser exploits.

The Chrome vulnerability in question – CVE-2022-0609 – was patched by Google last month.

The two groups, though separate, used the same exploit kit in their campaigns, which signals that they may work for the same entity with a shared supply chain. However, “each operate with a different mission set and deploy different techniques,” Weidemann said. It’s also possible that other North Korean government-backed attackers have access to the same kit, he added.

Two Campaigns, One Exploit

Researchers revealed specific details about both Operation Dream Job and Operation AppleJeus in the post. The former targeted more than 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors

Summary of CVE from last month which should be addressed already!!

CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risks to the federal enterprise.

CVE NumberCVE TitleRemediation Due Date
CVE-2022-24086Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability3/1/2022
CVE-2022-0609Google Chrome Use-After-Free Vulnerability3/1/2022
CVE-2019-0752Microsoft Internet Explorer Type Confusion Vulnerability8/15/2022
CVE-2018-8174Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability8/15/2022
CVE-2018-20250WinRAR Absolute Path Traversal Vulnerability8/15/2022
CVE-2018-15982Adobe Flash Player Use-After-Free Vulnerability8/15/2022
CVE-2017-9841PHPUnit Command Injection Vulnerability8/15/2022
CVE-2014-1761Microsoft Word Memory Corruption Vulnerability8/15/2022
CVE-2013-3906Microsoft Graphics Component Memory Corruption Vulnerability8/15/2022

Vidar infection in March 2022.

Today’s diary reviews Vidar and two additional variants: Oski Stealer and Mars Stealer based on analysis of their infection traffic.

Legitimate files used by Vidar, Oski, & Mars Stealer

During Vidar infections, the initial malware retrieves legitimate DLL files hosted on the same C2 server used for data exfiltration.  These files are not malicious, but they are used by the Vidar malware binary.

  • freebl3.dll  (DLL for Thunderbird)
  • mozglue.dll  (DLL for Thunderbird)
  • msvcp140.dll  (Microsoft C runtime library)
  • nss3.dll  (DLL for Thunderbird)
  • softokn3.dll  (DLL for Thunderbird)
  • vcruntime140.dll  (Microsoft C runtime library)

To the above list, Oski Stealer and Mars Stealer add another legitimate DLL:

  • sqlite3.dll  (used for SQLite operations)

Indicators of Compromise (IOCs)

Below are the three malware samples used for today’s diary:

Below are C2 domains used by the above samples:

  • 104.200.67[.]209 port 80 – dersed[.]com – Vidar C2 in September 2019
  • 2.56.57[.]108 port 80 – 2.56.57[.]108 – Oski Stealer C2 in January 2022
  • 5.63.155[.]126 port 80 – sughicent[.]com – Mars Stealer C2 in March 2022