An APT group (Advanced Persistent Threat) has been exploiting vulnerabilities in Mozilla Firefox and Internet Explorer browsers as part of the campaign aimed at China and Japan.
The flaws in question are CVE-2019-17026 (Firefox) and CVE-2020-0674 (IE), which have been patched by Mozilla and Microsoft in early January and in February this year accordingly. Both vulnerabilities were exploited in attacks prior to the release of the patches.
The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.
CVE-2020-0674 is a remote code execution vulnerability, which could be exploited by tricking a user into opening a specially crafted webpage.
According to Chinese cybersecurity firm Qihoo 360 who reported the attacks, the hackers exploited CVE-2019-17026 in Firefox along with the CVE-2020-0674 vulnerability.
The experts have attributed the campaign to the threat actor known as DarkHotel, which the company tracks as APT-C-06. Qihoo says the group operates from East Asia and refers to it as the “Peninsula APT.”
Earlier this week Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a report detailing attacks exploiting both vulnerabilities and targeting Japanese entities.
According to the report, targeted users are directed to a malicious website set up to deliver exploits depending on the user’s browser. If the attack is successful, a proxy automatic configuration file (PAC file) is downloaded onto the victim’s machine. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.
The final payload used in the observed attacks is a Gh0st RAT, a popular tool used by attackers to control infected endpoints, originally attributed to threat actor groups in China. After the malware’s source code was made public several years ago it was used by multiple groups.
JPCERT said that the malware only gets executed on 64-bit Windows 7 and Windows 8.1 machines, but it does not appear to be compatible with Windows 10.