Google’s Threat Analysis Group discovered that an Internet Explorer zero-day vulnerability was used to lure victims using Microsoft Office documents referencing the Itaewon Halloween crowd crush tragedy. | Photo by Amelia Holowaty Krales / The Verge
A new blog post from Google’s Threat Analysis Group (TAG) reveals that an Internet Explorer zero-day vulnerability was actively exploited by North Korea in October 2022. The attack targeted South Korean users by embedding malicious malware into documents that reference the recent Itaewon crowd crush tragedy in Seoul.
The Internet Explorer web browser was officially retired back in June earlier this year and has since been replaced by Microsoft Edge. However, as TAG’s technical analysis explains, Office is still using the IE engine to execute the JavaScript that enables the attack, which is why it worked on Windows 7 through 11 and Windows Server 2008 through 2022 machines that haven’t installed new November 2022 security updates.
TAG became aware of the vulnerability when the malicious Microsoft Office documents titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” were uploaded to VirusTotal on October 31st, 2022. The documents took advantage of widespread publicity over the tragedy in Itaewon on October 29th in which 151 people lost their lives in a crowd crush during a Halloween celebration in Seoul.
The document exploited an Internet Explorer zero-day vulnerability found within “jscript9.dll,” the JavaScript engine of Internet Explorer, which could be used to deliver malware or malicious code when rendering a website controlled by the attacker. TAG attributes the attack to a group of North Korean government-backed actors known as APT37, which has previously used similar Internet Explorer zero-day exploits in targeted attacks against North Korean defectors, policymakers, journalists, human rights activists, and South Korean IE users in general.
TAG says within the blog post that it “did not recover a final payload for this campaign” but notes that it previously observed APT37 using similar exploits to deliver malware such as Rokrat, Bluelight, and Dolphin. In this instance, the vulnerability was reported to Microsoft within hours of its discovery on October 31st and was patched out on November 8th.