Google: North Korea is using the Seoul tragedy to spread malware |
According to a new release from Google's Threat Analysis Group, North Korean hackers exploited a vulnerability in Microsoft's Internet Explorer in late October last year.
The group explained that the attack targeted South Korean users by injecting malware into documents related to the recent Itaewon tragedy in the capital, Seoul.
Microsoft officially discontinued Internet Explorer last June and replaced it with a new browser, Edge.
However, Threat Analysis Group's technical analysis shows that Office still uses the Internet Explorer engine to run JavaScript, which helps carry out the attack.
The vulnerability affects Windows versions 7 through 11 and Windows Server versions 2008 through 2022, which are missing the security update introduced last November.
Google's Threat Analysis Group said it became aware of the vulnerability when it uploaded a malicious Office document named 221031 Seoul Yongsan Itaewon Incident Response Situation (06:00.docx) to VirusTotal antivirus on October 31, 2022.
The documents are based on the widespread publicity of the Oct. 29 tragedy in Itaewon, when 151 people were killed in a stampede during Seoul's Halloween celebrations.
The document exploits an Internet Explorer vulnerability found in the browser's jscript9.dll JavaScript engine that can be used to deliver malware or malicious code when viewing an attacker-controlled website.
The threat analysis group attributed the attack to a group of state-backed North Korean actors called APT37, which used previously discovered vulnerabilities in Internet Explorer to target North Korean defectors. policy makers, journalists, human rights activists and internet explorers. . Usually in Korea.
Although the threat analysis team did not identify the malware used in this campaign, APT37 has already been observed using similar vulnerabilities to install Rokrat, Bluelight, Dolphin, and other malware.
In the new campaign, Microsoft was notified within hours of discovering the bug on October 31 and patching it on November 8.