A North Korean threat actor actively exploited a zero-day vulnerability in Internet Explorer to target South Korean users by taking advantage of the recent Itaewon Halloween crowd crush to trick users into downloading malware.
ScarCruft, also known as APT37, InkySquid, Reaper, and Ricochet Chollima, is responsible for this discovery, which was reported by Google Threat Analysis Group researchers Benoit Sevens and Clément Lecigne.
TAG stated on Thursday that the group has historically targeted South Korean users, North Korean defectors, policymakers, journalists, and human rights activists.
The new findings demonstrate the threat actor’s continued exploitation of Internet Explorer vulnerabilities such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors such as BLUELIGHT and Dolphin, the latter of which was disclosed by the Slovak cybersecurity company ESET late last month.
RokRat, a Windows-based remote access trojan with a variety of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information, is another key weapon in its arsenal.
The attack chain identified by Google TAG involves a malicious Microsoft Word document uploaded to VirusTotal on October 31, 2022. Microsoft patched CVE-2022-41128, another Internet Explorer zero-day vulnerability in the JScript9 JavaScript engine, last month.
The file references the October 29 incident that occurred in the Itaewon neighborhood of Seoul and, upon opening, exploits public interest in the tragedy to retrieve an exploit for the vulnerability. Office renders HTML content with Internet Explorer, which makes the attack possible.
According to the MalwareHunterTeam, the same Word document was previously shared by the Shadow Chaser Group on October 31, 2022, with the description “interesting DOCX injection template sample from Korea.”
Successful exploitation is followed by the delivery of a shellcode that obliterates all traces by clearing the Internet Explorer cache and history and downloading the subsequent stage payload.
Google TAG stated that it was unable to recover the subsequent malware used in the campaign, although it is suspected that RokRat, BLUELIGHT, or Dolphin was deployed.
“Unsurprisingly, they continue to target South Korean users,” an ESET malware analyst told The Hacker News. “ScarCruft has not utilized zero-day exploits for some time. Previously, they repurposed public proofs of concept for zero-day exploits.”
“Given the scarcity of zero-day exploits, we anticipate that ScarCruft would combine it with one of its more sophisticated backdoors, such as Dolphin. In addition, the office motif of [command-and-control] domains is consistent with previous campaigns.”
