Google last Thursday issued an update to its Chrome browser for Windows, Mac and Linux desktop environments, fixing two high-level vulnerabilities, including one that mysterious attackers have been exploiting as a zero day to deliver malware.

The two bugs, fixed in version 78.0.3904.87, were identified as CVE-2019-13721, a use-after-free in PDFium, and CVE-2019-13720 a use-after-free in audio. The former vulnerability was discovered by a researcher with the alias Banananapenguin, while the latter was reported by Kaspersky researchers Anton Ivanov and Alexey Kulaev, who found the flaw was being leveraged in a malicious campaign dubbed Operation WizardOpium.

To leverage the exploit, the perpetrators first injected malicious JavaScript code into the main page of a Korean-language news portal, Kaspersky explained in a blog post last Friday. Visiting this page would trigger a watering hole attack that remotely loads one script that, in turn, loads a second script. The second script seeks out the victim’s browser details to determine if it is exploitable. If so, the script sends AJAX requests to the attackers’ server, which passes along malicious code in chunks, which can ultimately be decrypted and assembled into the full browser exploit.

“The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a use-After-free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case,” Kaspersky explained in the blog post. “The exploit attempts to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.”

“The final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode,” Kaspersky continued. “After decryption, the malware module is dropped as updata.exe to disk and executed. For persistence, the malware installs tasks in Windows Task Scheduler.”

Kaspersky did not indicate what the payload’s primarily functionality is, nor has the company been able to conclusively determine if a known threat actor is behind WizardOpium. The company noted some “very weak code similarities” with attacks by reputed North Korean ATP actor Lazarus Group, but this could simply be a false flag. The researchers suggested that the targeting of the Korean-language news portal was actually more in line with the m.o. of DarkHotel, a suspected South Korean ATP group that’s best known for cyber espionage campaigns that target business travelers by attacking the Wi-Fi in their accommodations.

The latest patches to Chrome came just a mere nine days after the official introduction of Chrome version 78 had fixed another 37 security flaws. The three most pressing vulnerabilities to be addressed in that Oct. 22 release were CVE-2019-13699, a use-after-free condition in media; CVE-2019-13700, a buffer overrun in Blink; and CVE-2019-13701, a URL spoof bug in navigation.

The first two issues were reported by Man Yue Mo of the Semmle Security Research Team, for a total of $16,000 in bug bounty earnings. Researcher David Erceg reported the other high-level vulnerability.

Google described the other repaired flaws as a privilege elevation bug in Installer, a URL bar spoofing condition, a CSP bypass, an Extension permission bypass, an out-of-bounds read in PDFium, a file storage disclosure vulnerability, an HTTP authentication spoof condition, two file download protection bypasses, a cross-context information leak, a buffer overflow in expat, a cross-origin data leak, a CSS injection issue, an address bar spoof condition, a server worker state error, two obscured notifications and an IDN spoof situation.