A North Korean menace histrion known for targeting victims successful South Korea has been caught utilizing an exploit for a zero time vulnerability successful Internet Explorer by delivering malicious Microsoft Office documents.
Researchers with Google’s Threat Analysis Group discovered the vulnerability (CVE-2022-41128) connected Oct. 31 aft respective radical uploaded the malicious Office documents to VirusTotal. After analyzing the documents, the TAG researchers recovered that the documents download different record that past contacts a distant server to bring down immoderate HTML code. The malicious documents utilized the Halloween incidental successful Seoul arsenic a lure to entice victims to unfastened them.
TAG reported the vulnerability to Microsoft, which released a hole for it connected Nov. 8.
“The papers downloaded a affluent substance record (RTF) distant template, which successful crook fetched distant HTML content. Because Office renders this HTML contented utilizing Internet Explorer (IE), this method has been wide utilized to administer IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the vantage of not requiring the people to usage Internet Explorer arsenic its default browser, nor to concatenation the exploit with an EPM sandbox escape,” a post by TAG researchers Clement Lecigne and Benoit Sevens says.
“Upon investigation, TAG observed the attackers abused an 0-day vulnerability successful the JScript motor of Internet Explorer.”
The exploit that the attackers utilized is designed to bypass the extortion that Internet Explorer has for opening perchance unsafe contented downloaded from the internet.
“When delivering the distant RTF, the web server sets a unsocial cooky successful the response, which is sent again erstwhile the distant HTML contented is requested. This apt detects nonstop HTML exploit codification fetches which are not portion of a existent infection,” the researchers said.
“The exploit JavaScript besides verifies that the cooky is acceptable earlier launching the exploit. Additionally it reports doubly to the C2 server: earlier launching the exploit and aft the exploit succeeds.”
APT37 is besides known arsenic Reaper and the radical is chiefly known for conducting cyber espionage campaigns straight aligned with the North Korean government’s interests. The radical has utilized zero days successful operations successful the past, including CVE-2020-1380, which the radical utilized past year.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)