North Korea hits new low by using tragedy to spread malware • The Register

North Korea has hit a new low, using the death of over 150 people to exploit a zero-day flaw in Internet Explorer.

Google’s Threat Analysis Group on Wednesday spotted the flaw, CVE-2022-41128, an RCE bug in the JScript9 scripting language engine.

Microsoft fixed it in November 2022’s patch dump.

But Google says the North Korean government-backed actors known as APT37 created an exploit for the flaw and embedded it in a document titled ““221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”.

The Seoul Yongsan Itaewon accident took place in late October and saw over 150 people crushed to death when Halloween celebrations went very wrong. Hundreds more were injured, many seriously.

South Korea declared a week of national mourning after the incident.

And now APT37 has used it – while memories are still very, very, raw in the South – to distribute malware.

And nasty malware, too.

“The vulnerability can be exploited to execute arbitrary code when rendering an attacker-controlled website,” Google explained. It does so by infecting documents so they download “a rich text file (RTF) remote template, which in turn fetched remote HTML content. Because Office renders this HTML content using Internet Explorer (IE).”

Internet Explorer has of course been deprecated but is still present on many PCs. Quite possibly more PCs in South Korea than elsewhere given some of the nation’s government websites relied on legacy Microsoft browser technologies until 2021.

North Korea stands accused of using cyber-ops to steal data, money, and whatever else it can get its hands on.

And now it’s also used hacking to exploit the deaths of children in the hope of infecting innocent individuals’ PCs.

Which is horrible, grim, behaviour. But far from atypical for North Korea’s government, which those of you with a strong stomach can learn about in horrifying detail in this searing United Nations report that details the regime’s excesses. ®

Leave a Reply