North Korean state-sponsored hackers targeted South Korean users with malware when they exploited a previously unknown zero-day vulnerability in Internet Explorer, according to Google’s Threat Analysis Group(TAG).
TAG became aware of the flaw after a document titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” was uploaded to their VirusTotal tool.
The document references the tragic incident in Seoul’s Itaewon neighborhood during Halloween festivities when a crowd crush in a narrow alleyway resulted in at least 158 people dying and 196 others injured.
Google notified Microsoft that same day, and on November 8th Microsoft released a patch. Microsoft didn’t release a statement on who else might be endangered by the virus or in what other ways the vulnerability is being actively exploited.
Once opened, the malicious document, which requires a user to disable protected view, downloads a rich text file (RTF) remote template that fetches remote HTML content using Internet Explorer.
TAG’s security researchers, Clement Lecigne and Benoit Sevens, explained that this is possible,
They further went on to add that:
Who Are the Notorious, North Korean Hackers?
According to Google, the group behind this attack is APT37 — a group of malicious hackers backed by the North Korean government. The group, considered active for at least a decade, has previously targeted North Korean:
- Human rights activists
Plus, South Korean Internet Explorer users — all through similar zero-day vulnerability exploits.
TAG says that it “didn’t recover a final payload for this campaign” and added that it previously observed APT37 using similar exploits to deliver a variety of implants like Rokrat, Bluelight, and Dolphin.
This discovery by Google’s TAG comes right after another group of researchers at Cisco Talos discovered that another North Korean-sponsored group, Lazarus — also known as APT38 — is exploiting Log4Shell to target energy providers in Canada, Japan, and the U.S.
Lazarus Group is also notorious for its attacks on crypto networks like the recent Harmony Bridge hack. What do you think, are North Korean hackers a threat, and if so, how should this be dealt with?