North Korean state-sponsored hackers exploited a previously unknown zero-day vulnerability in Internet Explorer to target South Korean users with malware, according to Google’s Threat Analysis Group.
Google researchers first discovered the zero-day flaw on Oct. 31 when several individuals uploaded a malicious Microsoft Office document to the company’s VirusTotal tool. These documents are said to be government reports related to the Itaewon tragedy, a crowd-pulling that occurred during Halloween festivities in Seoul’s Itaewon neighborhood. At least 158 people were killed and 196 others were injured.
“This incident was widely publicized and the lure is benefiting from widespread public interest in the accident,” said Google TAG’s Clement Lecigne and Benoit Stevens on Wednesday.
“This technique has been widely used since 2017 to distribute IE exploits through Office files,” said Lecigne and Stevens. “Delivering IE exploits through this vector has the advantage that the target does not require Internet Explorer to be used as the default browser.”
The researchers added that Google reported the vulnerability to Microsoft on Oct. 31 before patching it a week later as part of Microsoft’s November 2022 Patch Tuesday security updates.
Google has attributed the activity to a North Korean-backed hacking group known as APT37, which has been active since at least 2012 and has previously been observed exploiting zero-day flaws to target South Korean users, North Korean defectors, policymakers , journalists and human rights activists. Cybersecurity firm FireEye previously said it judged with “high confidence” that APT37 activity is being conducted on behalf of the North Korean government, noting that the group’s primary mission is “to covert intelligence gathering in support of strategic military, political and economic interests of North Korea.”
While Google researchers didn’t get a chance to analyze the malware APT37 hackers tried to deploy against their targets, they note that the group is known for using a wide variety of malicious software.
“While we have not recovered a definitive shipment for this campaign, we have previously seen the same group deliver several implants such as ROKRAT, BLUELIGHT and DOLPHIN,” said Lecigne and Stevens. “APT37 implants typically exploit legitimate cloud services as a C2 channel and provide capabilities typical of most backdoors.”
The Google TAG investigation comes after researchers from threat intelligence firm Cisco Talos revealed that the North Korean state-sponsored Lazarus hacking group – also known as APT38 – is exploiting the Log4Shell vulnerability to target energy suppliers in the United States, Canada and Japan.