An APT group is exploiting two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.
The first issue, tracked as CVE-2019-17026, affects the Firefox browser and was addressed in January.
In January, Mozilla confirmed that it’s aware of targeted attacks exploiting the CVE-2019-17026 zero-day, but it did not disclose details of the attacks.
The vulnerability was reported to Mozilla by security experts from the Chinese firm Qihoo 360.
The experts reported that the CVE-2019-17026 zero-day had been exploited by attackers along with an Internet Explorer zero-day, Qihoo 360 experts initially disclosed the discovery via Twitter, but later deleted the message.
The second flaw tracked as CVE-2020-0674 is an RCE affecting the Internet Explorer, Microsoft addressed it in February,
According to the
Qihoo experts also tracked the group as the “Peninsula APT,” likely because it refers to an APT group operating from Korea.
Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities
“When you are directed to the attack site with IE or Firefox, the attack code corresponding to the browser you accessed is returned.” states the JPCERT.
“After that, if the attack succeeds, the attack code will be downloaded again as a proxy automatic configuration file (PAC file). The downloaded attack code is executed as a PAC file, and the malware is downloaded and executed.”
The exploitation of the flaw allows delivering a proxy auto-configuration (PAC) file to the system. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.
The final payload used in the attack is a variant of the Gh0st RAT that was employed in multiple attacks carried out by China-linked APT groups. Experts pointed out that
“As a result of verification, it was confirmed that the attack on IE confirmed this time will be performed until execution of malware on Window 7 x64 (December 2019 release patch applied) and Windows 8.1 x64 (January 2020 release patch applied), No malware infection occurred in the environment of Windows 10 (with the January 2020 release patch applied).” concluded the report. “It is possible that the code was not compatible with Windows 10 in this attack.”