ScarCruft hackers exploit 0-day in Internet Explorer to target South Koreans

Cybercriminals exploit the known Zero-day vulnerability in Internet Explorer

Google Threat Analysis Group (TAG) published a report^[1] on Thursday about the recently-found Zero-day vulnerability exploited by North Korean government-backed actor APT37, more widely known as ScarCruft, Reaper, InkySquid, Ricochet Chollima or Reaper. The security team detected the threat in late October 2022, which was actively being used to target South Korean users of the Internet Explorer browser.

Google Threat Analysis Group researchers Benoit Sevens and Clement Lecigne said in the report that they immediately reported the findings to Microsoft so that the zero-day vulnerability could be patched as soon as possible.

This is not the first time that ScarCruft has taken advantage of security vulnerabilities in Internet Explorer to target users. The group's past targets have included South Korean users, North Korean defectors, policymakers, journalists, and human rights activists.

Exploiting the Itaewon Halloween crowd crush event

The Halloween crowd crush in Itaewon was a tragic and devastating event. On the night of October 29, 2022, a large crowd gathered in the Itaewon neighborhood of Seoul, South Korea, to celebrate Halloween. However, as the festivities were underway, a crowd crush occurred, resulting in the deaths of at least 158 people and the injury of 196 others.

The majority of the victims were young adults, and the incident has left the community in shock, thus it was unsurprising that the event was reported widely by various news channels and websites alike.

This tragic accident is particularly what North Korean hackers were trying to exploit to make people download malware on their devices, and they did so by employing malware-laced Microsoft Word document titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx.”

Google's TAG report wrote:

On October 31, 2022, multiple submitters from South Korea reported new malware to us by uploading a Microsoft Office document to VirusTotal.

As is common in these exploitation cases, the MS Office document was using the “Protected View” mode, which would protect users from being infected. Those who press the “Enable Editing” button shown next to the warning would immediately allow malicious macros to run, infecting users with malicious software.

CVE-2022-41128 vulnerability in Internet Explorer and arsenal of tools used by hackers

It is common for high-profile cybercriminal groups to make use of various backdoors after exploiting the vulnerabilities found within certain software. This incident is not an exclusion, and malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, known as CVE-2022-41128.^[2]

The malicious Word documents sent to users would exploit a vulnerability in Internet Explorer in the JScript9 Engine. The Office application uses Internet Explorer to render HTML content, which makes the attack possible. After successful exploitation, a shellcode delivers payloads that clear the Internet Explorer cache and history, allowing for little to no traces. Microsoft has patched the CVE-2022-41128 update in its November 2022 updates.^[3]

While Google TAG was unable to determine which precise malware was used in this campaign, it is assumed that tools are widely used by ScarCruft. Previously, APT37 was found using other Internet Explorer vulnerabilities, such as 2020-1380 and CVE-2021-26411, to deliver Dophin^[4] or BLUELIGHT backdoors to South Koran users' devices. RokRat Remote Access Trojan is another widely-used tool by attackers to exfoliate sensitive data of victims.