An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware.
The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is also called APT37, InkySquid, Reaper, and Ricochet Chollima.
"The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists," TAG said in a Thursday analysis.
The new findings illustrate the threat actor's continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.
The attack chain observed by Google TAG entails the use of a malicious Microsoft Word document that was uploaded to VirusTotal on October 31, 2022. It abuses yet another Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft last month.
The file references the October 29 incident that took place in the Itaewon neighborhood of Seoul and exploits public interest in the tragedy to retrieve an exploit for the vulnerability upon opening it. The attack is enabled by the fact that Office renders HTML content using Internet Explorer.
As the MalwareHunterTeam points out, the same Word file was previously shared by the Shadow Chaser Group on October 31, 2022, describing it as an "interesting DOCX injection template sample" that originated from Korea.
Successful exploitation is followed by the delivery of a shellcode that wipes all traces by clearing the Internet Explorer cache and history as well as downloading the next stage payload.
Google TAG said it could not recover the follow-on malware used in the campaign, although it's suspected to have involved the deployment of RokRat, BLUELIGHT, or Dolphin.
"It is not surprising that they continue to target South Korean users," ESET malware analyst Filip Jurčacko told The Hacker News. "We haven't seen ScarCruft use zero-day exploits for some time. Previously, they were repurposing public PoCs of n-day exploits."
"Given the rarity/scarcity of zero-day exploits, we expect ScarCruft would use it in combination with some of their more sophisticated backdoors such as Dolphin. Moreover, the office theme of [command-and-control] domains matches previous campaigns."
