You can now find Cyber Kendra on Google News!

Google Discovered New Internet Explorer 0-day Exploited by North Korean Hackers

New Internet Explorer 0-day exploited by North Korean actor APT37

internet explorer 0day Vulnerability

Google's Threat Analysis Group (TAG)
has discovered a new zero-day vulnerability that is actively exploited by hackers targeting users in South Korea. 

Google's TAG team discovered this zero-day in the month of October 2022 and the team quickly reported the vulnerability to the Microsoft security team. Microsoft quickly fixed the exploited vulnerability and patches were released to protect users from these attacks. 

Google attributes the activity to a group of North Korean government-backed actors known as APT37. Hackers are embedding malicious code in Microsoft Office documents and these malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, CVE-2022-41128. 

Google noted -

This is not the first time APT37 has used Internet Explorer 0-day exploits to target users. The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists.

Malicious Document Uploaded to VirusTotal

On October 31, 2022, multiple submitters from South Korea reported new malware by uploading a Microsoft Office document to VirusTotal. The document, titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, references the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during Halloween celebrations on October 29, 2022.  

The shared malicious document download a rich text file (RTF) remote template, which in turn fetched remote HTML content. Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.

Cause of 0-day Vulnerability

Google's TAG team found that vulnerability impacts the JScript9 scripting language that resides within “jscript9.dll”, the JavaScript engine of Internet Explorer, and can be exploited to execute arbitrary code when rendering an attacker-controlled website.

For the successful exploitation of the vulnerability, the user has to disable the protected view before the remote RTF template is fetched.

Google TAG team also identified other documents likely exploiting the same vulnerability and with similar targeting, which may be part of the same campaign. 

Post a Comment