Malicious hackers, hell-bent on infiltrating an organisation, have no qualms about exploiting even the most tragic events.
Take, for instance, the horrific crowd crush that occurred in Seoul's nightlife district of Itaweon on 29 October, when over 150 people were killed during Halloween festivities.
Google's Threat Analysis Group (TAG) reports this week that it saw a North Korean government-backed hacking group using the Seoul Yongsan Itaewon tragedy as a lure to trick innocent individuals in South Korea into opening boobytrapped files.
The researchers say that as early as October 31 2022, people in South Korea were uploading a suspicious Microsoft Office document entitled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” to the VirusTotal malware-scanning service, curious as to whether it might be dangerous.
Clearly the file was deliberately tailored to appeal to the curiosity of the people of South Korea were understandably interested in the accident, its cause, and the aftermath.
According to TAG, a zero-day vulnerability was embedded in the malicious documents by the APT37 hacking group (also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollima).
The boobytrapped documents exploited a previously-unknown flaw in Internet Explorer, specifically a zero-day vulnerability in the JScript engine that has been given the name CVE-2022-41128.
How can an Internet Explorer zero-day impact Office files? Well, for the simple reason that Microsoft Office renders HTML content using Internet Explorer. In short, if Internet Explorer contains bugs (even if you don't use it as your browser of choice) you can still be at risk when reading documents.
In this particular case we don't know what the criminals were intending to do. The exploit code in the Office files attempted to download a payload from the internet, which the researchers were unable to access - and so, for now, it remains a mystery.
But as the APT37 hacking group has previously targeted South Korean users, North Korean defectors, policy makers, journalists and human rights activists, it wouldn't be a surprise at all if the attack was intended to steal information from compromised PCs or carried a destructive payload.
Within a few hours of uncovering the zero-day vulnerability, Google's research team had reported it responsibly to Microsoft and a patch was released on November 8 2022.
Google's team acknowledged the quick response from Microsoft in responding and patching the vulnerability.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
