DarkHotel: North Korean hacker group’s top target this year is the Internet Explorer’s scripting engine

• Security experts recently discovered that the North Korean APT group created new exploits for two older vulnerabilities affecting the Internet Explorer scripting engines.
• DarkHotel also found and used two zero-day vulnerabilities targeting Internet Explorer scripting engines.

The clandestine North Korean cyberespionage group DarkHotel, aka APT-C-06, Fallout Team, SIG25, etc., has been increasingly targeting Internet Explorer (IE) scripting engine. Security experts recently discovered that DarkHotel created new exploits for two older vulnerabilities affecting the Internet Explorer scripting engines.

Although DarkHotel’s activities were brought to light in 2014, security researchers believe that the hacker group has been active since 2007. However, over the years, the cyberespionage group, that is known to have ties to the Pyongyang regime, has evolved and more recently, has been targeting political figures.

This year, DarkHotel has been repeatedly targeting the IE VBScript scripting engine. According to security researchers at Qihoo 360 Core, the North Korean APT group not only used two zero-day bugs targeting IE scripting engines, the hackers also created new exploits for two older IE scripting engine flaws.

"After analysis, we found that the obfuscation and exploitation of these four [exploits] are highly consistent. We suspect that they are from the same hacker (or hacking group),” said Qihoo 360 Core researchers. “We believe that there are other similar issues in VBScript, and speculate that there are other similar exploits are under the control of the hacker or hacking group.”