Zero-day Exploits of Operation WizardOpium

In the end of 2019 year we have caught a new unknown exploit that was distributed with waterhole-style injection on a Korean-language news portal. After removing a multiple layers of obfuscation it appeared that we have found a zero-day that was exploiting unpatched vulnerability in one of the recent versions of Google Chrome. The final payload of this attack had no definitive links with any known threat actors and we have called it “Operation WizardOpium”. In this presentation, we would like to focus on analysis of exploits and vulnerabilities used in “Operation WizardOpium” as our further research revealed the use of multiple unpatched vulnerabilities.