Google Threat Analysis Group (TAG) warnedthat a group of North Korean hackers APT37 (also known as InkySquid, Reaper and Ricochet Chollima), used a previously unknown vulnerability in Internet Explorer to infect South Korean targets with malware.
TAG analysts learned of the attack on October 31, when a malicious Microsoft Office document called «221031 Seoul Yongsan Itaewon accident response situation (06:00).docx» was downloaded from South Korea to VirusTotal. That is, the attackers used as bait the death of 151 people in a stampede in the central district of Seoul. Let me remind you that this incident occurred on October 29, during the celebration of Halloween, the first since the beginning of the coronavirus pandemic.
Once opened on victims’ devices, this document delivered an unknown payload (loading a remote RTF template that represented the remote HTML using Internet Explorer). Downloading remote HTML content that delivered the exploit to the victim’s system allowed hackers to use 0-day in IE, even if targets didn’t use it as the default browser.
You may be interested in:
How to get a list of PowerShell modules
Thiszero-day vulnerability (CVE-2022-41128) is associated with the JavaScript engine in Internet Explorer and allows attackers to execute arbitrary code during rendering of a malicious site. Microsoft developers fixed this bug as part of November Update Tuesday, just five days after assigning the vulnerability the CVE identifier and immediately after receiving the researchers’ report.
Although Google TAG experts could not analyze the final announcement of this campaign, they note that North Korean hackers use a wide range of malware in their attacks.
«Although we did not restore the final payload for this campaign, we have previously observed a group delivering several implants, including ROKRAT, BLUELIGHT, and DOLPHIN,» the researchers wrote. «APT37 implants typically use legitimate cloud services like C&C and have capabilities typical of most backdoors.»