A zero-day vulnerability in Internet Explorer has been exploited by a North Korean threat actor, specifically targeting South Korean users. The attack exploits the heightened public sensitivity surrounding the recent Itaewon Halloween crowd crush incident, leveraging social engineering tactics to entice victims into downloading malware.
This discovery was detailed by the Google Threat Analysis Group, with researchers Benoît Sevens and Clément Lecigne identifying the involvement of a notorious group known as ScarCruft, also identified as APT37, InkySquid, Reaper, and Ricochet Chollima. Such groups are typically known for their targeted campaigns against specific demographics, focusing on South Korean citizens, defectors from North Korea, and activists in journalism and human rights.
The attack methodology showcases the group’s consistent exploitation of Internet Explorer vulnerabilities, including CVE-2020-1380 and CVE-2021-26411. These flaws are utilized to deploy backdoor malware such as BLUELIGHT and Dolphin, with the latter having recently been acknowledged by the Slovak cybersecurity firm ESET.
Significantly, the attackers employed RokRat, a sophisticated Windows-based remote access trojan that enables a range of malicious capabilities, including keystroke logging and the retrieval of Bluetooth device data. This highlights a growing trend of operational sophistication among North Korean cybercriminals.
The attack chain initiated with a malicious Microsoft Word document uploaded to VirusTotal on October 31, 2022. This document took advantage of yet another zero-day vulnerability, CVE-2022-41128, which affects the JScript9 JavaScript engine and was subsequently patched by Microsoft. The document exploits public interest surrounding the Itaewon tragedy to deploy an exploit as soon as it is opened, utilizing Office’s rendering of HTML content through Internet Explorer.
Security researchers have highlighted that this same document was disseminated by the Shadow Chaser Group, using it as a suspected infiltration tool. Effective exploitation avoids detection by purging the Internet Explorer cache and history, thereby concealing any traces before downloading additional malicious payloads.
While Google TAG has not yet identified the follow-on malware used in this campaign, there is speculation that it involved the deployment of RokRat, BLUELIGHT, or Dolphin. ESET’s malware analyst, Filip Jurčacko, noted the strategic targeting of South Korean users and the historical context of ScarCruft’s past tactics, which often leverage more accessible exploits rather than zero-day vulnerabilities. The use of zero-day exploits, while rare, suggests an escalation in operational methods.
In light of this incident, business owners should consider the implications of such threat actor tactics, which may include initial access through malicious documents, persistence through deployed backdoors, and potential privilege escalation techniques to deepen compromise. Understanding the latent risks associated with zero-day vulnerabilities is crucial for developing robust cybersecurity measures.