2 min read

North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns


December 08, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns

Google’s Threat Analysis Group (TAG) revealed yesterday technical details of a zero-day vulnerability used by a North Korean Advanced Persistent Threat (APT) group.

The flaw, discovered in late October, is a Windows Scripting Languages Remote Code Execution (RCE) vulnerability tracked as CVE-2022-41128. It lets perpetrators exploit an Internet Explorer JScript engine shortcoming through malicious code embedded in Microsoft Office documents.

Microsoft addressed the vulnerability, which affects Windows 7 through 11 and Windows Server 2008 through 2022, in last month’s patch rollout.

According to Google’s TAG, North Korean government-backed actors weaponized the vulnerability and used it against South Korean users. The threat actors injected the malicious code into Microsoft Office documents referencing a tragic incident in Seoul, South Korea, to lure unsuspecting victims.

Researchers also discovered documents with “similar targeting,” likely exploiting the same vulnerability.

“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content,” reads Google TAG’s security advisory. “Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

Typically, an infected document would bear the Mark-of-the-Web security feature. For an attack to succeed, users must manually disable the document’s protected view so the code can retrieve the remote RTF template.

While Google TAG didn’t recover a final payload for the malicious campaign attributed to APT37, experts noticed similar implants used by the perpetrators, including BLUELIGHT, DOLPHIN and ROKRAT. APT37-specific implants often exploit legitimate cloud services by turning them into C2 (command and control) and offer backdoor capabilities.

Dedicated software solutions such as Bitdefender Ultimate Security can keep you safe from backdoors, zero-day exploits, and other cyberthreats with its extensive range of features, such as:

  • Continuous, all-around monitoring and protection against viruses, worms, Trojans, rootkits, zero-day exploits, spyware, ransomware and other e-threats
  • Behavioral detection module that constantly monitors active apps and takes instant action against suspicious activity
  • Advanced prevention technology that identifies suspicious network-level activity and blocks threats such as botnet-related URLs, brute force attacks and sophisticated exploits




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like