North Korean Hackers Used IE Vulnerability to Target South Koreans After Halloween Tragedy
Following the Itaewon Halloween crowd crush that killed at least 158 people, North Korea's state-sponsored hacking group APT37 took advantage of a vulnerability in Internet Explorer until there unknown to install malware on the devices of South Koreans who were trying to find out about the tragedy, according to Google's Threat Analysis Group. The team became aware of the recent October 31 attack after several South Koreans uploaded a malicious Microsoft Office document to the company's VirusTotal tool.
APT37 capitalized on national interest in the Itaewon tragedy by referencing the event in an official-looking document. Once someone opened the document on their device, they would download a remote rich text file template which in turn would render the remote HTML using Internet Explorer. According to Google, this is a widely used technique for spreading exploits since 2017, as it allows hackers to take advantage of Internet Explorer vulnerabilities even if someone is not using IE as their default web browser.
The JavaScript vulnerability that APT37 took advantage of allowed the group to execute arbitrary code. Google notified Microsoft of day zero the same day it became aware of it. On November 8, Microsoft released a software update to fix the exploit. "We would be remiss if we did not acknowledge the prompt response and patching of this vulnerability by the Microsoft team," Google said.
While the TAG team has not had the opportunity to analyze the latest malware the APT37 hackers attempted to deploy against their targets, they do note that the group is known to use a wide variety of malware , including ROKRAT, BLUELIGHT and DOLPHIN. "TAG has also identified other documents likely exploiting the same vulnerability and with similar targeting, which may be part of the same campaign," the team added.
This isn't the first time Google's Threat Analysis Group has foiled an attack by North Korean hackers. In early 2021, the team detailed a campaign targeting security researchers. Most recently, the team worked with the Chrome team to address a vulnerability used by two North Korean hacking frameworks to execute code remotely.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
Following the Itaewon Halloween crowd crush that killed at least 158 people, North Korea's state-sponsored hacking group APT37 took advantage of a vulnerability in Internet Explorer until there unknown to install malware on the devices of South Koreans who were trying to find out about the tragedy, according to Google's Threat Analysis Group. The team became aware of the recent October 31 attack after several South Koreans uploaded a malicious Microsoft Office document to the company's VirusTotal tool.
APT37 capitalized on national interest in the Itaewon tragedy by referencing the event in an official-looking document. Once someone opened the document on their device, they would download a remote rich text file template which in turn would render the remote HTML using Internet Explorer. According to Google, this is a widely used technique for spreading exploits since 2017, as it allows hackers to take advantage of Internet Explorer vulnerabilities even if someone is not using IE as their default web browser.
The JavaScript vulnerability that APT37 took advantage of allowed the group to execute arbitrary code. Google notified Microsoft of day zero the same day it became aware of it. On November 8, Microsoft released a software update to fix the exploit. "We would be remiss if we did not acknowledge the prompt response and patching of this vulnerability by the Microsoft team," Google said.
While the TAG team has not had the opportunity to analyze the latest malware the APT37 hackers attempted to deploy against their targets, they do note that the group is known to use a wide variety of malware , including ROKRAT, BLUELIGHT and DOLPHIN. "TAG has also identified other documents likely exploiting the same vulnerability and with similar targeting, which may be part of the same campaign," the team added.
This isn't the first time Google's Threat Analysis Group has foiled an attack by North Korean hackers. In early 2021, the team detailed a campaign targeting security researchers. Most recently, the team worked with the Chrome team to address a vulnerability used by two North Korean hacking frameworks to execute code remotely.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase something through one of these links, we may earn an affiliate commission. All prices correct at time of publication.
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
