North Korean hackers took advantage and exploit the Seoul Halloween tragedy to spread malware to South Korea, Google’s Threat Analysis Group (TAG) has discovered. The malicious software was hidden inside an official-looking document entitled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”.
Researchers discovered a malicious Word file exploited the CVE-2022-41128 zero-day vulnerability in Internet Explorer’s JScript engine, which had previously been reported. When opened, the document downloaded a remote template rich text file which rendered HTML content using IE on the device.
Google’s Threat Analysis Group (TAG)
Google’s Threat Analysis Group (TAG) recently identified North Korean hackers utilizing the Seoul Halloween tragedy in a zero-day attack that targeted users in South Korea. The malware was embedded into an MS Word document that appeared to be related to the crowd crush that claimed 158 lives on October 29 in Itaewon neighborhood of Seoul.
Google reported that hackers exploited a zero-day vulnerability in Internet Explorer to spread malware to victims’ devices. Furthermore, the document contained Java script code which allowed attackers to remotely execute code on their targets’ computers.
Google’s report states that APT37, a group of North Korean government-backed hackers, has been involved in past attacks that targeted users, defectors and policymakers. The hacker collective has used implants that grant them access to their target’s computer system in the past.
TAG also discovered Russia-backed threat actors like Callisto Group (codename COLDRIVER by Google) have launched DDoS attacks and phishing campaigns against entities. These “advanced” campaigns allowed these criminals to obtain data, information or credentials through various methods.
North Korea’s illicit nuclear weapons program has been linked to hundreds of millions of dollars in losses due to these threats, suggesting the country cannot finance its missile tests through traditional budgetary means and instead relies on crypto theft for funding.
Google’s threat analysis team believes the attackers are a hack-for-hire group. These operators possess advanced hacking abilities and typically work as freelance threat actors, stealing data and invading systems from governments, businesses, politicians, journalists, activists and more around the world.
Google’s TAG first identified APT37 in October 2017, and it has a history of targeting South Korean users, North Korean defectors and policymakers with malware-infected computers. This campaign employed an unknown zero-day vulnerability in Internet Explorer to install malicious documents onto victims’ devices – this vulnerability being first reported to Microsoft on October 31 and patches released the following day, November 8.
Google’s Threat Analysis Group (TAG) recently identified ScarCruft, a North Korean hacking group also known as APT37, InkySquid, Reaper and Ricochet Chollima, exploiting an Internet Explorer vulnerability to target South Korean users. These individuals and groups have historically targeted South Koreans including defectors from North Korea, policy makers, journalists and human rights activists with impunity, according to TAG reports.
Once exploited, the document is sent to a command-and-control server. There, it executes shellcode which deletes all traces by clearing out Internet Explorer cache and history before downloading the next stage payload.
Security researchers at ESET have discovered that this malware is only capable of infecting computers running Windows, but it can also be distributed via email and social media. Furthermore, attackers have been observed using a backdoor known as Dolphin to launch attacks against specific targets.
Kaspersky Lab recently reported that the ScarCruft group had been dispersing malware through steganography, or hiding malicious files within seemingly innocent image files. This technique is often employed to avoid detection and avoid prosecution.
ScarCruft also uses a backdoor that grants them access to compromised systems on Google Drive and files they desire. This backdoor enables them to conduct cyberespionage, steal personal information and harvest mobile device data.
ScarCruft group has been active since 2012 and is responsible for numerous APT campaigns, such as Operation Daybreak. This operation exploited spear phishing emails and an unknown zero-day Adobe Flash Player flaw to launch attacks against South Korea. Other actions taken against a South Korean digital newspaper and with zero-day Internet Explorer exploits also occurred.
Google’s Threat Analysis Group (TAG) recently identified a North Korean government-backed hacking group known as APT37 or ScarCruft exploiting an Internet Explorer zero-day vulnerability to target South Korean users. Researchers discovered the malware in late October when multiple people in South Korea uploaded an unfamiliar Microsoft Office document to VirusTotal, an online file-scanning tool operated by Google’s TAG team.
The fake report, entitled “221031 Seoul Yongsan Itaewon accident response situation (06:00.docx,” contained information regarding a deadly Halloween crush that took place in Seoul’s Itaewon nightlife district on October 29. As thousands of young revellers packed into narrow alleyways to celebrate, 158 died.
APT37 is a well-known North Korean government-backed hacking group that targets South Koreans, North Korean defectors, policy makers, journalists and human rights activists worldwide. Additionally, APT37 has spread several types of backdoors which enable its hackers to take control of devices.
The TAG team reported that attackers used an IE zero-day exploit to infect South Korean targets with malware by loading a remote HTML template that caused Internet Explorer to render content remotely. Once loaded on victims’ devices, these malicious actors could then inject rogue code into the targeted system for whatever malicious purpose they desired.
Additionally, since this attack leveraged a zero-day flaw in Internet Explorer, victims didn’t need to have it set as their default browser. This approach has been employed since 2017 to distribute IE exploits without mandating they use Internet Explorer as their go-to application.
Google’s Threat Analysis Group (TAG) has discovered that a North Korean hacking group exploited the Seoul Halloween tragedy to distribute malicious software in South Korea. The hackers infiltrated malware into documents purporting to be government reports, according to TAG’s report.
North Korean hackers used a zero-day vulnerability in Microsoft Word to spread malware, the company reported. A “zero-day” is an attack that occurs when there is an unknown flaw in a system which cannot be fixed before being exploited by malicious actors, such as North Korean hackers.
Researchers found the attackers used a document that referenced an October 29 incident in Seoul’s Itaewon nightlife district, where 158 people perished due to a crowd crush. This event had been widely reported on, and hackers used it as bait to trick people into opening malicious files, Google’s blog post noted.
When users opened corrupted documents, they downloaded a rich text file (RTF) which then grabbed remote HTML content – an approach commonly used by threat actors to steal information from vulnerable devices, according to Google’s Threat Analysis Group (TAG).
These vulnerabilities are frequently combined with backdoors that steal information from compromised PCs, the TAG blog noted. Hackers then have the ability to access other computers on the network and collect data without requiring the user’s consent, according to TAG blog postings.
On November 8, 2016, multiple South Korean users uploaded the document to VirusTotal, which analyzes suspicious files, alerting the TAG team of an exploit. Microsoft quickly issued a patch on that same day to fix the issue, according to Google’s blog post.
North Korean hackers utilized a document to download a malicious file, which could then be executed on devices running Windows 8.1 or 10. This exploit allowed for the installation of a remote template that would grab content injected through an internet connection – an approach used by threat actors since at least 2017, according to TAG blog post.