Google says North Korea targeted an Internet Explorer zero-day vulnerability
Cybersecurity researchers from Google’s Threat Analysis Group (TAG) have discovered a zero-day vulnerability in the Internet Explorer (IE) browser (opens in new tab) is being exploited by a known North Korean threat actor.
In a blog post (opens in new tab) the group said it had spotted the APT37 (AKA Erebus) group targeting individuals in South Korea with a weaponized Microsoft Word file.
The file is titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which refers to the recent tragedy that occurred in Itaewon, Seoul, during this year’s Halloween celebrations, in which at least 158 people lost their lives. , with another 200 injured. Apparently, the attackers wanted to capitalize on the public and media attention the incident received.
Exploiting old flaws
After analyzing the document being distributed, TAG found that it downloaded a remote RTF template to the target endpoint, which then retrieved remote HTML content. Microsoft may have disabled Internet Explorer and replaced it with Edge, but Office still renders HTML content using IE, which is a well-known fact that threat actors have been exploiting since 2017, according to TAG.
Now that Office renders HTML content with IE, attackers can exploit the zero-day they discovered in IE’s JScript engine.
The team found the flaw in “jscript9.dll”, Internet Explorer’s JavaScript engine, which allowed attackers to execute arbitrary code when rendering a website under their control.
Microsoft was tipped off on October 31, 2022, with the bug labeled CVE-2022-41128 three days later and a patch released on November 8.
While the process so far only compromises the device, TAG has not discovered for what purpose. It did not find the APT37 final payload for this campaign, but added that the group has delivered malware such as Rokrat, Bluelight or Dolphin in the past.
Through: The edge (opens in new tab)
