Home » North Korean Hackers Look to Internet Explorer Zero Days

North Korean Hackers Look to Internet Explorer Zero Days

by Ransomware DataBreachToday.com
0 comment

Cyberwarfare / Nation-State Attacks
Endpoint Security
Fraud Management & Cybercrime

Google TAG Attributes Expoloits to State-Sponsored APT37, aka Reaper(MihirBagwe) o
December 7, 2022 Image: Shutterstock

North Korean state-sponsored hackers exploited a zero day vulnerability in the JavaScript engine of Microsoft’s Internet Explorer via an Office document sent to users in South Korea.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Google’s Threat Analysis Group says it spotted the exploit in October after multiple individuals from South Korea uploaded to VirusTotal a copy of the malicious Word file. The document purported to be an update on the Halloween crowd crush that killed more than 150 in the Itaewon neighborhood of Seoul.

APT37, also known as Reaper, primarily targets South Korea, the country with which the totalitarian regime in Pyongyang has maintained a tense seven-decade armistice. Cybersecurity firm Mandiant has written that APT37, which appears to have been active since at least 2012, focuses on targeting the public- and private-sectors alike for espionage campaigns.

Microsoft issued a patch for the zero day in early November.

The vulnerability, CVE-2022-41128 resided within the Internet Explorer JavaScript engine – jscript9.dll – the application Office uses to render HTML content. Google characterizes the flaw as an incorrect just-in-time compilation that leads to variable type confusion. It is similar to another vulnerability, CVE-2021-34480 that Google researchers identified in 2021.

This North Korean threat group has exploited Internet Explorer zero days before, Google notes. Exploiting Internet Explorer through the Office channel has its advantages since it doesn’t depend on users selecting the browser as the default. Nor does it require chaining the exploit with another to break free of Internet Explorer’s Enhanced Protected Mode sandbox, writes Google.

The malicious document downloaded a rich text file template that in turn fetched remote HTML content – but only if users disabled Office’s Protected View setting. Google researchers ultimately did not recover the final payload of the campaign, but APT37 in the past had delivered a variety of implants that “abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors.”

The Cybersecurity and Infrastructure Security Agency added the IE zero-day to its catalog of known exploited vulnerabilities in November and ordered federal civilian agencies to patch the bug by December 9.

Source: Read More

You may also like

Leave a Comment


Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign