Google researchers discovered the zero-day flaw on October 31st when multiple individuals uploaded a malicious Microsoft Office document to the company’s VirusTotal tool. These documents looked like government reports that referenced the recent Itaewon crowd crush tragedy in Seoul.

North Korean Hacking group APT37 carried out the attack

TAG’s technical analysis group explained that the APT37 hacking group carried out the attacks using spearphishing emails designed to trick the recipient into clicking on a link or attachment containing malware. The malicious Microsoft Office documents, titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx,” took advantage of the public interest in the tragedy that occurred in Itaewon on October 29th, in which 151 people lost their lives in a crowd crush during the Halloween festivities. TAG security researchers found that the North Korean hackers exploited a zero-day vulnerability in Internet Explorer’s Script engine. Tracked as CVE-2022-41128 with a CVSS severity rating of 8.8. Once a victim opened the malicious documents, it would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Since Office still uses the Internet Explorer engine to execute JavaScript, this enabled the attack. Fortunately, Google discovered the vulnerability and reported it to Microsoft. Microsoft then released a patch to fix the flaw, which should protect users from future attacks. “Although we did not recover a final payload for this campaign, we’ve previously observed the same group delivering a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN,” Lecigne and Stevens said. “APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors.” It is not clear how many individuals and organizations were affected by the North Korean attack, or what kind of information may have been stolen. However, this incident serves as a reminder of the ongoing threat posed by state-sponsored hackers and the importance of keeping software up to date and using security measures to protect against such attacks.