TAG became aware of the vulnerability when the malicious Microsoft Office documents titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” were uploaded to VirusTotal on October 31st, 2022. The documents took advantage of widespread publicity over the tragedy in Itaewon on October 29th in which 151 people lost their lives in a crowd crush during a Halloween celebration in Seoul.
The attack is believed to be the work of a group of North Korean government-backed actors known as APT37
TAG says within the blog post that it “did not recover a final payload for this campaign” but notes that it previously observed APT37 using similar exploits to deliver malware such as Rokrat, Bluelight, and Dolphin. In this instance, the vulnerability was reported to Microsoft within hours of its discovery on October 31st and was patched out on November 8th.