A zero-day vulnerability in Web Explorer has been actively exploited by a North Korean menace actor to focus on South Korean customers by capitalizing on the latest Itaewon Halloween crowd crush to trick customers into downloading malware.
The invention, reported by Google Risk Evaluation Group researchers Benoît Sevens and Clément Lecigne, is the newest collection of assaults by Google. ScarCruftadditionally known as APT37, InkySquid, Reaper and Ricochet Chollima.
“The group has at all times centered its concentrating on on South Korean customers, North Korean defectors, policymakers, journalists and human rights activists,” TAG mentioned in an evaluation Thursday.
The brand new findings illustrate the menace actor’s continued abuse of Web Explorer flaws akin to CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by the Slovak cybersecurity firm ESET on the finish of final month.
One other key software in its arsenal is RokRat, a Home windows-based distant entry Trojan that comes with a variety of capabilities that enable it to seize screenshots, log keystrokes, and even accumulate details about Bluetooth gadgets.
The assault chain noticed by Google TAG entails using a malicious Microsoft Phrase doc that was uploaded to VirusTotal on October 31, 2022. It exploits one other Web Explorer zero-day flaw within the JScript9 JavaScript engine, CVE -2022-41128, which was patched by Microsoft final month.
The file references the October 29 incident that befell within the Itaewon district of Seoul and exploits public curiosity within the tragedy to get better an exploit for the vulnerability when it was opened. The assault is enabled by Workplace rendering HTML content material utilizing Web Explorer.
Because the MalwareHunterTeam factors out that the identical Phrase file was already shared by the Shadow Chaser Group on October 31, 2022, describing as an “attention-grabbing DOCX injection sample pattern” from Korea.
Profitable exploitation is adopted by the supply of a shellcode that erases all traces by clearing Web Explorer’s cache and historical past in addition to downloading the subsequent step payload.
Google TAG mentioned it couldn’t get better the monitoring malware used within the marketing campaign, though it’s suspected to have concerned the deployment of RokRat, BLUELIGHT or Dolphin.
“It is no shock that they proceed to focus on South Korean customers,” ESET malware analyst Filip Jurčacko instructed The Hacker Information. “We’ve not seen ScarCruft use zero-day exploits shortly. They used to redirect public n-day exploit PoCs.”
“Given the rarity of zero-day exploits, we count on ScarCruft to make use of this together with a few of their extra refined backdoors akin to Dolphin. Moreover, the desktop theme of [command-and-control] domains matches earlier campaigns.”
Supply : https://information.google.com/__i/rss/rd/articles/CBMiTWh0dHBzOi8vdGhlaGFja2VybmV3cy5jb20vMjAyMi8xMi9nb29nbGUtd2FybnMtb2YtaW50ZXJuZXQtZXhwbG9yZXItemVyby5odG1s0gFTaHR0cHM6Ly90aGVoYWNrZXJuZXdzLmNvbS8yMDIyLzEyL2dvb2dsZS13YXJucy1vZi1pbnRlcm5ldC1leHBsb3Jlci16ZXJvLmh0bWw_YW1wPTE?oc=5
