An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor or Hacker to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush by tricking its users into accidentally downloading malware.
This discovery was reported by Google Threat Analysis Group (TAG) researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is also called APT37, InkySquid, Reaper, and Ricochet Chollima.
“The group has historically focused and have targeted South Korean users along with North Korean defectors, policy makers, journalists as well as human rights activists,” TAG claimed in Thursday analysis.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late previous month.Another key tool in its arsenal was said to be RokRat, a Windows-based remote access trojan which comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information etc.
The attack chain observed by Google TAG entails the use of a malicious Microsoft Word document that was uploaded to VirusTotal on October 31, 2022. It abuses yet another Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft last month.
The file references the October 29 incident that took place in the Itaewon neighborhood of Seoul and exploits public interest in the tragedy to retrieve an exploit for the vulnerability upon opening it. The attack is enabled by the fact that Office renders HTML content using Internet Explorer.
Malware Hunter Team points out, the same Word file was previously shared by the Shadow Chaser Group on October 31, 2022, describing it as an “interesting DOCX injection template sample” that originated from Korea.
Successful exploitation is followed by the delivery of a shellcode that wipes all traces by clearing the Internet Explorer cache and history as well as downloading the next stage payload which is dangerous.
Google TAG said it could not recover the follow-on malware used in the campaign, although it’s suspected to have involved the deployment of RokRat, BLUELIGHT, or Dolphin.