2 min read

North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns

Vlad CONSTANTINESCU

December 08, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns

Google’s Threat Analysis Group (TAG) revealed yesterday technical details of a zero-day vulnerability used by a North Korean Advanced Persistent Threat (APT) group.

The flaw, discovered in late October, is a Windows Scripting Languages Remote Code Execution (RCE) vulnerability tracked as CVE-2022-41128. It lets perpetrators exploit an Internet Explorer JScript engine shortcoming through malicious code embedded in Microsoft Office documents.

Microsoft addressed the vulnerability, which affects Windows 7 through 11 and Windows Server 2008 through 2022, in last month’s patch rollout.

According to Google’s TAG, North Korean government-backed actors weaponized the vulnerability and used it against South Korean users. The threat actors injected the malicious code into Microsoft Office documents referencing a tragic incident in Seoul, South Korea, to lure unsuspecting victims.

Researchers also discovered documents with “similar targeting,” likely exploiting the same vulnerability.

“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content,” reads Google TAG’s security advisory. “Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”

Typically, an infected document would bear the Mark-of-the-Web security feature. For an attack to succeed, users must manually disable the document’s protected view so the code can retrieve the remote RTF template.

While Google TAG didn’t recover a final payload for the malicious campaign attributed to APT37, experts noticed similar implants used by the perpetrators, including BLUELIGHT, DOLPHIN and ROKRAT. APT37-specific implants often exploit legitimate cloud services by turning them into C2 (command and control) and offer backdoor capabilities.


Dedicated software solutions such as Bitdefender Ultimate Security can keep you safe from backdoors, zero-day exploits, and other cyberthreats with its extensive range of features, such as:

  • Continuous, all-around monitoring and protection against viruses, worms, Trojans, rootkits, zero-day exploits, spyware, ransomware and other e-threats
  • Behavioral detection module that constantly monitors active apps and takes instant action against suspicious activity
  • Advanced prevention technology that identifies suspicious network-level activity and blocks threats such as botnet-related URLs, brute force attacks and sophisticated exploits

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Planet Ice hacked! 240,000 skating fans' details stolen Planet Ice hacked! 240,000 skating fans' details stolen
Graham CLULEY

January 31, 2023

2 min read
QNAP Rolls Out Urgent Patch to Fix SQL Injection Flaw in NAS Devices QNAP Rolls Out Urgent Patch to Fix SQL Injection Flaw in NAS Devices
Filip TRUȚĂ

January 31, 2023

1 min read
Code-Signing Certificates Stolen in GitHub Breach Code-Signing Certificates Stolen in GitHub Breach
Vlad CONSTANTINESCU

January 31, 2023

1 min read