{ "id": "58151ff0-b2ce-4139-b3ff-4e87c57bd538", "created_at": "2026-04-06T00:19:15.686294Z", "updated_at": "2026-04-10T03:29:57.874549Z", "deleted_at": null, "sha1_hash": "0721118047d7cf243cb2bfeece987fbd57651abe", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 203832, "plain_text": "Chrome 0-day exploit CVE-2019-13720 used in Operation\r\nWizardOpium\r\nBy AMR\r\nPublished: 2019-11-01 · Archived: 2026-04-05 12:59:56 UTC\r\nExecutive summary\r\nKaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number\r\nof zero-day attacks in the past. Recently, it caught a new unknown exploit for Google’s Chrome browser. We\r\npromptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google\r\nconfirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome\r\nversion 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest\r\nversion as soon as possible! You can read Google’s bulletin by clicking here.\r\nKaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for\r\nthis attack is Exploit.Win32.Generic.\r\nWe are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link\r\nwith any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these\r\ncould very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks\r\nthat have recently deployed similar false flag attacks.\r\nMore details about CVE-2019-13720 and recent DarkHotel false flag attacks are available to customers of\r\nKaspersky Intelligence Reporting. For more information, contact: intelreports@kaspersky.com.\r\nTechnical details\r\nThe attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code\r\nwas inserted in the main page, which in turn, loads a profiling script from a remote site.\r\nRedirect to the exploit landing page\r\nThe main index page hosted a small JavaScript tag that loaded a remote script from\r\nhxxp://code.jquery.cdn.behindcorona[.]com/.\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 1 of 6\n\nThe script then loads another script named .charlie.XXXXXXXX.js. This JavaScript checks if the victim’s system\r\ncan be infected by performing a comparison with the browser’s user agent, which should run on a 64-bit version\r\nof Windows and not be a WOW64 process; it also tries to get the browser’s name and version. The vulnerability\r\ntries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65\r\n(current Chrome version is 78):\r\nChrome version checks in the profiling script (.charlie.XXXXXXXX.js)\r\nIf the browser version checks out, the script starts performing a number of AJAX requests to the attacker’s\r\ncontrolled server (behindcorona[.]com) where a path name points to the argument that is passed to the script\r\n(xxxxxxx.php). The first request is necessary to obtain some important information for further use. This\r\ninformation includes several hex-encoded strings that tell the script how many chunks of the actual exploit code\r\nshould be downloaded from the server, as well as a URL to the image file that embeds a key for the final payload\r\nand RC4 key to decrypt these chunks of the exploit’s code.\r\nExploitation chain – AJAX requests to xxxxxxx.php\r\nAfter downloading all the chunks, the RC4 script decrypts and concatenates all the parts together, which gives the\r\nattacker a new JavaScript code containing the full browser exploit. To decrypt the parts, the previously retrieved\r\nRC4 key is used.\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 2 of 6\n\nOne more version check\r\nThe browser exploit script is obfuscated; after de-obfuscation we observed a few peculiar things:\r\n1. 1 Another check is made against the user agent’s string – this time it checks that the browser version is 76\r\nor 77. It could mean that the exploit authors have only worked on these versions (a previous exploitation\r\nstage checked for version number 65 or newer) or that other exploits have been used in the past for older\r\nChrome versions.\r\nObfuscated exploit code\r\n2. 2 There are a few functions that operate on the browser’s built-in BigInt class, which is useful for doing 64-\r\nbit arithmetic inside JavaScript code, for example, to work with native pointers in a 64-bit environment.\r\nUsually, exploit developers implements their own functions for doing this by working with 32-bit numbers.\r\nHowever, in this case, BigInt is used, which should be faster because it’s implemented natively in the\r\nbrowser’s code. The exploit developers don’t use all 64 bits here, but instead operate on a smaller range of\r\nnumbers. This is why they implement a few functions to work with higher/lower parts of the number.\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 3 of 6\n\nSnippet of code to work with 64-bit numbers\r\n3. 3 There are many functions and variables that are not used in the actual code. This usually means that they\r\nwere used for debugging code and were then left behind when the code was moved to production.\r\n4. 4 The majority of the code uses several classes related to a certain vulnerable component of the browser. As\r\nthis bug has still not been fixed, we are not including details about the specific vulnerable component here.\r\n5. 5 There are a few big arrays with numbers that represent a shellcode block and an embedded PE image.\r\nThe analysis we have provided here is deliberately brief due to vulnerability disclosure principles. The exploit\r\nused a race condition bug between two threads due to missing proper synchronization between them. It gives an\r\nattacker an a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution\r\nscenarios, which is exactly what happens in our case.\r\nThe exploit first tries to trigger UaF to perform an information leak about important 64-bit addresses (as a\r\npointer). This results in a few things: 1) if an address is leaked successfully, it means the exploit is working\r\ncorrectly; 2) a leaked address is used to know where the heap/stack is located and that defeats the address space\r\nlayout randomization (ASLR) technique; 3) a few other useful pointers for further exploitation could be located by\r\nsearching near this address.\r\nAfter that it tries to create a bunch of large objects using a recursive function. This is done to make some\r\ndeterministic heap layout, which is important for a successful exploitation. At the same time, it attempts to utilize\r\na heap spraying technique that aims to reuse the same pointer that was freed earlier in the UaF part. This trick\r\ncould be used to cause confusion and give the attacker the ability to operate on two different objects (from a\r\nJavaScript code perspective), though in reality they are located in the same memory region.\r\nThe exploit attempts to perform numerous operations to allocate/free memory along with other techniques that\r\neventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be\r\nused with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 4 of 6\n\nFirst stage shellcode\r\nPayload description\r\nThe final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode.\r\nEncrypted payload – worst.jpg\r\nAfter decryption, the malware module is dropped as updata.exe to disk and executed. For persistence the malware\r\ninstalls tasks in Windows Task Scheduler.\r\nThe payload ‘installer’ is a RAR SFX archive, with the following information:\r\nFile size: 293,403\r\nMD5: 8f3cd9299b2f241daf1f5057ba0b9054\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 5 of 6\n\nSHA256: 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\r\nThe archive contains two files:\r\nFile name: iohelper.exe\r\nMD5: 27e941683d09a7405a9e806cc7d156c9\r\nSHA256: 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48\r\nFile name: msdisp64.exe\r\nMD5: f614909fbd57ece81d00b01958338ec2\r\nSHA256: cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb\r\nBoth files were compiled at the same time, which if we are to believe the timestamp, was “Tue Oct 8 01:49:31\r\n2019”.\r\nThe main module (msdisp64.exe) tries to download the next stage from a hardcoded C2 server set. The next stages\r\nare located on the C2 server in folders with the victim computer names, so the threat actors have information\r\nabout which machines were infected and place the next stage modules in specific folders on the C2 server.\r\nMore details about this attack are available to customers of Kaspersky Intelligence Reporting. For more\r\ninformation, contact: intelreports@kaspersky.com.\r\nIoCs\r\nbehindcorona[.]com\r\ncode.jquery.cdn.behindcorona[.]com\r\n8f3cd9299b2f241daf1f5057ba0b9054\r\n35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\r\n27e941683d09a7405a9e806cc7d156c9\r\n8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48\r\nf614909fbd57ece81d00b01958338ec2\r\ncafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb\r\nkennethosborne@protonmail.com\r\nSource: https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nhttps://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/" ], "report_names": [ "94866" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2008a79d-2f3a-475f-abef-3bc119a1bf38", "created_at": "2022-10-25T16:07:24.028651Z", "updated_at": "2026-04-10T02:00:04.845194Z", "deleted_at": null, "main_name": "Operation WizardOpium", "aliases": [], "source_name": "ETDA:Operation WizardOpium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5cd3fcb0-eb56-49ac-8125-47ebee93311d", "created_at": "2023-01-06T13:46:39.065814Z", "updated_at": "2026-04-10T02:00:03.201808Z", "deleted_at": null, "main_name": "Operation WizardOpium", "aliases": [], "source_name": "MISPGALAXY:Operation WizardOpium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434755, "ts_updated_at": 1775791797, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0721118047d7cf243cb2bfeece987fbd57651abe.pdf", "text": "https://archive.orkl.eu/0721118047d7cf243cb2bfeece987fbd57651abe.txt", "img": "https://archive.orkl.eu/0721118047d7cf243cb2bfeece987fbd57651abe.jpg" } }