A North Korean threat actor actively exploited a zero-day vulnerability in Internet Explorer in order to trick South Korean users into downloading malware during the Itaewon Halloween crowd crush.
Benoît Sevens and Clément Lecigne, researchers at the Google Threat Analysis Group, made the discovery, which is the most recent set of attacks carried out by ScarCruft, also known as APT37, InkySquid, Reaper, and Ricochet Chollima.
In a Thursday analysis, TAG stated, “The group has historically focused their targeting on South Korean users, North Korean defectors, policymakers, journalists, and human rights activists.”
The threat actor continues to use Internet Explorer flaws like CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was discovered by the Slovak cybersecurity firm ESET late last month. The new findings show that this is the case.
RokRat, a Windows-based remote access trojan with a wide range of features that enable it to capture screenshots, log keystrokes, and even harvest Bluetooth device information, is another important tool in its arsenal.
The assault chain saw by Google Label involves the utilization of a noxious Microsoft Word report that was transferred to VirusTotal on October 31, 2022. It manhandles one more Web Adventurer zero-day blemish in the JScript9 JavaScript motor, CVE-2022-41128, that was fixed by Microsoft last month.
Upon opening the file, an exploit for the vulnerability is retrieved by making reference to the incident that occurred on October 29 in the Itaewon neighborhood of Seoul and taking advantage of the public’s interest in the tragedy. The fact that Office renders HTML content with Internet Explorer makes the attack possible.
The Shadow Chaser Group previously shared the same Word file on October 31, 2022, describing it as an “interesting DOCX injection template sample” from Korea, as the MalwareHunterTeam points out.
After an exploit is successful, a shellcode is distributed that downloads the next stage payload and clears all traces by clearing the cache and history of Internet Explorer.
Although RokRat, BLUELIGHT, or Dolphin are suspected to have been used in the campaign, Google TAG stated that it was unable to recover the follow-on malware.
“It isn’t is really to be expected that they keep on focusing on South Korean clients,” ESET malware expert Filip Jurčacko told The Programmer News. ” Zero-day exploits have not been used by ScarCruft in some time. In the past, they were repurposing n-day exploits’ public PoCs.”
“We anticipate that ScarCruft would use it in conjunction with some of their more sophisticated backdoors, such as Dolphin, given the rarity and scarcity of zero-day exploits. Additionally, the command-and-control domain office theme is consistent with previous campaigns.”