3 April 2020

DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan


DarkHotel hackers exploited flaws in Firefox and IE in attacks on China, Japan

An APT group (Advanced Persistent Threat) has been exploiting vulnerabilities in Mozilla Firefox and Internet Explorer browsers as part of the campaign aimed at China and Japan.

The flaws in question are CVE-2019-17026 (Firefox) and CVE-2020-0674 (IE), which have been patched by Mozilla and Microsoft in early January and in February this year accordingly. Both vulnerabilities were exploited in attacks prior to the release of the patches.

The CVE-2019-17026 flaw is an “IonMonkey type confusion with StoreElementHole and FallibleStoreElement,” where IonMonkey is the Just-in-Time (JIT) compiler for Firefox’s SpiderMonkey JavaScript engine.

CVE-2020-0674 is a remote code execution vulnerability, which could be exploited by tricking a user into opening a specially crafted webpage.

According to Chinese cybersecurity firm Qihoo 360 who reported the attacks, the hackers exploited CVE-2019-17026 in Firefox along with the CVE-2020-0674 vulnerability.

The experts have attributed the campaign to the threat actor known as DarkHotel, which the company tracks as APT-C-06. Qihoo says the group operates from East Asia and refers to it as the “Peninsula APT.”

Earlier this week Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a report detailing attacks exploiting both vulnerabilities and targeting Japanese entities.

According to the report, targeted users are directed to a malicious website set up to deliver exploits depending on the user’s browser. If the attack is successful, a proxy automatic configuration file (PAC file) is downloaded onto the victim’s machine. The PAC files are used to redirect requests made to specified websites through an external server under the control of the attackers.

The final payload used in the observed attacks is a Gh0st RAT, a popular tool used by attackers to control infected endpoints, originally attributed to threat actor groups in China. After the malware’s source code was made public several years ago it was used by multiple groups.

JPCERT said that the malware only gets executed on 64-bit Windows 7 and Windows 8.1 machines, but it does not appear to be compatible with Windows 10.

Back to the list

Latest Posts

Fujitsu discloses malware infection, warns of possible data leak

Fujitsu discloses malware infection, warns of possible data leak

The tech giant did not specify what kind of malware its systems have been infected with.
19 March 2024
ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024