Hacker hands typing connected a laptop
Google has filled successful the blanks astir a funny zero-day flaw that Microsoft addressed successful its November Patch Tuesday.
The distant codification execution flaw, tracked arsenic CVE-2022-41128, was successful 1 of its Windows JavaScript scripting languages, JScript9 -- the JavaScript motor utilized successful IE11. The bug affected Windows 7 done to Windows 11 arsenic good arsenic Windows Server 2008 done 2022.
Microsoft ended enactment for IE11 connected June 15, 2022 and has been encouraging customers to usage Edge alternatively with 'IE mode', but Google has recovered this benignant of IE bug continues to beryllium exploited successful Office documents due to the fact that the IE motor remains integrated with Office.
And who were the actors down the recently discovered exploit for bequest IE 11?
According to TAG members Clement Lecigne (who reported the flaw to Microsoft) and Benoit Sevens, the IE exploit was developed by North Korean actors APT37.
The attackers distributed the IE exploit successful an Office papers because, arsenic TAG explains, Office renders HTML contented utilizing IE. IE exploits person been delivered via Office since 2017 for this crushed due to the fact that adjacent if Chrome is acceptable arsenic the default, Office defaults to the IE motor erstwhile it encounters HTML oregon web content.
"Delivering IE exploits via this vector has the vantage of not requiring the people to usage Internet Explorer arsenic its default browser, nor to concatenation the exploit with an EPM sandbox escape," the menace analysts note.
They besides enactment that this is simply a precise akin to a the bug, CVE-2021-34480, that Google Project Zero (GPZ) recovered past twelvemonth successful IE 11's JIT compiler. GPZ's analysis of the caller IE flaw besides traced it to IE's JIT compiler.
At the time, GPZ researcher Ivan Fratric noted that though Microsoft had ended enactment for IE 11, IE (or the IE engine) was still integrated into different products, astir notably, Microsoft Office. Due to that still-existing integration, Fratric wondered however agelong it would instrumentality earlier attackers halt abusing it.
TAG notes that successful a emblematic script erstwhile an IE exploit is delivered successful an Office document, the idiosyncratic would person to disable Office Protected View earlier the distant RTF is fetched.
TAG didn't find the the last payload for this campaign, nevertheless they noted that APT37 (also known arsenic ScarCruft and Reaper) has utilized respective implants similar ROKRAT, BLUELIGHT, and DOLPHIN.
"APT37 implants typically maltreatment morganatic unreality services arsenic a C2 transmission and connection capabilities emblematic of astir backdoors," TAG notes.
TAG besides commended Microsoft for the speedy patch, which it delivered 8 days aft Google archetypal analyzed the malicious Office record from VirusTotal.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)