Google’s cyber security team has identified a zero-day exploit for an Internet Explorer vulnerability that was utilized to target customers in South Korea.
The tech giant’s Danger Investigation Team (TAG) produced the discovery in October 2022 and observed malware embedded in files that have been emailed to targets. The hidden malware residing in the files exploited a vulnerability in the browser’s JScript motor, tracked as CVE-2022-41128.
TAG attributed the attacks to APT37, a known risk group that is has attributed to North Korean point out-sponsored hackers. It stated that APT37 has applied Internet Explorer zero-days in the past to focus on consumers, and tends to concentrate on those people based in South Korea which includes journalists, human rights activists, and North Korean defectors.
The malware-laden doc was titled “221031 Seoul Yongsan Itaewon incident reaction situation (06:00).docx”, which Google explained was trying to take benefit of general public curiosity in an accident, a Halloween group crush, that took spot in South Korea in Oct.
Several submitters from South Korea flagged the malware to Google’s TAG by uploading this Microsoft Office document to VirusTotal, a site Google owns that analyses suspicious files, domains, or URLs.
Researchers located that the doc downloaded a rich text file (RTF) distant template which then went on to fetch HTML content.
“Because Office environment renders this HTML articles employing Internet Explorer (IE), this method has been widely utilized to distribute IE exploits by using Place of work documents because 2017 (e.g. CVE-2017-0199),” reported TAG. “Delivering IE exploits by way of this vector has the gain of not demanding the focus on to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”
TAG informed Microsoft of the vulnerability on 31 October 2022, and it was then assigned the CVE-2022-41128 tracking code. Five times later on, on 8 November 2022, the vulnerability was patched.
Microsoft has fixed Internet Explorer bugs in the previous that had been previously exploited by North Korean hackers. The flaw, learned in March 2021, was made use of to concentrate on security researchers through a memory corruption vulnerability which enabled hackers to operate malware on a victim’s Computer. It did this by encouraging them to accessibility a destructive web-site.
In September 2021, Microsoft also had to issue a further deal with for a zero-working day vulnerability embedded in the browser that powers legacy Internet Explorer. It was a distant code execution flaw embedded in the MSHTML browser engine which permitted hackers to create a malicious ActiveX manage which was employed by a Microsoft Business doc hosting the engine. The attackers would then tempt victims into opening the document.
Some elements of this write-up are sourced from: