North Korean APT Group Exploits Internet Explorer Zero-Day Flaw, Google Warns
Google’s Threat Analysis Group (TAG) revealed yesterday technical details of a zero-day vulnerability used by a North Korean Advanced Persistent Threat (APT) group.
The flaw, discovered in late October, is a Windows Scripting Languages Remote Code Execution (RCE) vulnerability tracked as CVE-2022-41128. It lets perpetrators exploit an Internet Explorer JScript engine shortcoming through malicious code embedded in Microsoft Office documents.
Microsoft addressed the vulnerability, which affects Windows 7 through 11 and Windows Server 2008 through 2022, in last month’s patch rollout.
According to Google’s TAG, North Korean government-backed actors weaponized the vulnerability and used it against South Korean users. The threat actors injected the malicious code into Microsoft Office documents referencing a tragic incident in Seoul, South Korea, to lure unsuspecting victims.
Researchers also discovered documents with “similar targeting,” likely exploiting the same vulnerability.
“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content,” reads Google TAG’s security advisory. “Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape.”
Typically, an infected document would bear the Mark-of-the-Web security feature. For an attack to succeed, users must manually disable the document’s protected view so the code can retrieve the remote RTF template.
While Google TAG didn’t recover a final payload for the malicious campaign attributed to APT37, experts noticed similar implants used by the perpetrators, including BLUELIGHT, DOLPHIN and ROKRAT. APT37-specific implants often exploit legitimate cloud services by turning them into C2 (command and control) and offer backdoor capabilities.
Dedicated software solutions such as Bitdefender Ultimate Security can keep you safe from backdoors, zero-day exploits, and other cyberthreats with its extensive range of features, such as:
- Continuous, all-around monitoring and protection against viruses, worms, Trojans, rootkits, zero-day exploits, spyware, ransomware and other e-threats
- Behavioral detection module that constantly monitors active apps and takes instant action against suspicious activity
- Advanced prevention technology that identifies suspicious network-level activity and blocks threats such as botnet-related URLs, brute force attacks and sophisticated exploits
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns
January 19, 2023
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
November 29, 2022
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022