North Korean Hackers Abuse Internet Explorer’s Zero-Day Vulnerability
North Korean Hackers Abuse Internet Explorer’s Zero-Day Vulnerability
Disclaimerauthor imageIlija Miljkovac
Last updated: January 20, 2023
TwitterFacebookLinkedInFlipboard 0
North Korean Hackers Abuse Internet Explorer’s Zero-Day Vulnerability
North Korean state-sponsored hackers targeted South Korean users with malware when they exploited a previously unknown zero-day vulnerability in Internet Explorer, according to Google’s Threat Analysis Group(TAG).
TAG became aware of the flaw after a document titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” was uploaded to their VirusTotal tool.
The document references the tragic incident in Seoul’s Itaewon neighborhood during Halloween festivities when a crowd crush in a narrow alleyway resulted in at least 158 people dying and 196 others injured.
On October 31st, TAG discovered that the malware embedded in the document was designed to exploit a zero-day vulnerability in Internet Explorer’s JavaScript engine, tracked as CVE-2022-41128 with a Common Vulnerability Scoring System (CVSS) severity rating of 8.8.
Google notified Microsoft that same day, and on November 8th Microsoft released a patch. Microsoft didn’t release a statement on who else might be endangered by the virus or in what other ways the vulnerability is being actively exploited.
Once opened, the malicious document, which requires a user to disable protected view, downloads a rich text file (RTF) remote template that fetches remote HTML content using Internet Explorer.
TAG’s security researchers, Clement Lecigne and Benoit Sevens, explained that this is possible,
Because Office renders this HTML content using Internet Explorer. This technique has been widely used to distribute Internet Explorer exploits via Office files since 2017.
They further went on to add that:
Delivering Internet Explorer exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser
Even though Microsoft Edge replaced Internet Explorer this June, Office still uses Internet Explorer’s engine to execute the JavaScript that enables the attack.
Who Are the Notorious, North Korean Hackers?
According to Google, the group behind this attack is APT37 — a group of malicious hackers backed by the North Korean government. The group, considered active for at least a decade, has previously targeted North Korean:
Defectors
Journalists
Human rights activists
Policymakers
Plus, South Korean Internet Explorer users — all through similar zero-day vulnerability exploits.
TAG says that it “didn’t recover a final payload for this campaign” and added that it previously observed APT37 using similar exploits to deliver a variety of implants like Rokrat, Bluelight, and Dolphin.
This discovery by Google’s TAG comes right after another group of researchers at Cisco Talos discovered that another North Korean-sponsored group, Lazarus — also known as APT38 — is exploiting Log4Shell to target energy providers in Canada, Japan, and the U.S.
Lazarus Group is also notorious for its attacks on crypto networks like the recent Harmony Bridge hack. What do you think, are North Korean hackers a threat, and if so, how should this be dealt with?
Disclaimerauthor imageIlija Miljkovac
Last updated: January 20, 2023
TwitterFacebookLinkedInFlipboard 0
North Korean Hackers Abuse Internet Explorer’s Zero-Day Vulnerability
North Korean state-sponsored hackers targeted South Korean users with malware when they exploited a previously unknown zero-day vulnerability in Internet Explorer, according to Google’s Threat Analysis Group(TAG).
TAG became aware of the flaw after a document titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” was uploaded to their VirusTotal tool.
The document references the tragic incident in Seoul’s Itaewon neighborhood during Halloween festivities when a crowd crush in a narrow alleyway resulted in at least 158 people dying and 196 others injured.
On October 31st, TAG discovered that the malware embedded in the document was designed to exploit a zero-day vulnerability in Internet Explorer’s JavaScript engine, tracked as CVE-2022-41128 with a Common Vulnerability Scoring System (CVSS) severity rating of 8.8.
Google notified Microsoft that same day, and on November 8th Microsoft released a patch. Microsoft didn’t release a statement on who else might be endangered by the virus or in what other ways the vulnerability is being actively exploited.
Once opened, the malicious document, which requires a user to disable protected view, downloads a rich text file (RTF) remote template that fetches remote HTML content using Internet Explorer.
TAG’s security researchers, Clement Lecigne and Benoit Sevens, explained that this is possible,
Because Office renders this HTML content using Internet Explorer. This technique has been widely used to distribute Internet Explorer exploits via Office files since 2017.
They further went on to add that:
Delivering Internet Explorer exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser
Even though Microsoft Edge replaced Internet Explorer this June, Office still uses Internet Explorer’s engine to execute the JavaScript that enables the attack.
Who Are the Notorious, North Korean Hackers?
According to Google, the group behind this attack is APT37 — a group of malicious hackers backed by the North Korean government. The group, considered active for at least a decade, has previously targeted North Korean:
Defectors
Journalists
Human rights activists
Policymakers
Plus, South Korean Internet Explorer users — all through similar zero-day vulnerability exploits.
TAG says that it “didn’t recover a final payload for this campaign” and added that it previously observed APT37 using similar exploits to deliver a variety of implants like Rokrat, Bluelight, and Dolphin.
This discovery by Google’s TAG comes right after another group of researchers at Cisco Talos discovered that another North Korean-sponsored group, Lazarus — also known as APT38 — is exploiting Log4Shell to target energy providers in Canada, Japan, and the U.S.
Lazarus Group is also notorious for its attacks on crypto networks like the recent Harmony Bridge hack. What do you think, are North Korean hackers a threat, and if so, how should this be dealt with?
