North Korean hackers exploit Itaewon tragedy to infiltrate South Korean targets

A North Korean hacking group took advantage of the Oct. 29 Itaewon crowd-crush tragedy, which killed more than 150 people, to trick South Korean targets into downloading malicious files, researchers with Google’s Threat Analysis Group revealed Wednesday.

The discovery of the campaign appears to be just the latest attempt by a notorious North Korean hacking group known as APT37, which has targeted North Korean defectors, policymakers, journalists and human rights activists and others in South Korea for the past decade.

Researchers discovered the campaign after multiple South Korean submissions of a Microsoft Office document titled “221031 Seoul Yongsan Itaewon accident response situation (06:00)” to VirusTotal on Oct. 31.

The hackers appear to have designed the malicious document to install malware on victims’ devices and relied on a recently discovered Internet Explorer zero-day vulnerability, CVE-2022-41128, that allows for remote code execution.

Researchers notified Microsoft about the zero-day within a few hours of its discovery Oct. 31 and patches were issued on Nov. 8.

Google researchers did not recover a final payload associated with this campaign. The hacking group they believe is behind the campaign previously used implants known as ROKRAT, BLUELIGHT and DOLPHIN. “APT37 implants typically abuse legitimate cloud services as a [command and control] channel and offer capabilities typical of most backdoors,” the researchers said.

APT37 has previously used browser-based exploits to go after targets, the researchers noted.

“TAG is committed to sharing research to raise awareness on bad actors like APT37 within the security community, and for companies and individuals that may be targeted,” the researchers said. “By improving understanding of the tactics and techniques of these types of actors, we hope to strengthen protections across the ecosystem.”