Enlarge / APT37, a radical believed to beryllium backed by the North Korean government, has recovered occurrence exploiting the bits of Internet Explorer inactive contiguous successful assorted Windows-based apps.
Aurich Lawson | Getty Images
Microsoft's Edge browser has replaced Internet Explorer successful astir each regard, but immoderate exceptions remain. One of those, heavy wrong Microsoft Word, was exploited by a North-Korean-backed radical this fall, Google information researchers claim.
It's not the archetypal time the government-backed APT37 has utilized Internet Explorer's lingering presence, arsenic Google's Threat Analysis Group (TAG) notes in a blog post. APT37 has had repeated occurrence targeting South Korean journalists and activists, positive North Korean defectors, done a constricted but inactive palmy Internet Explorer pathway.
The past exploit targeted those heading to Daily NK, a South Korean tract dedicated to North Korean news. This 1 progressive the Halloween assemblage crush successful Itaewon, which killed astatine slightest 151 people. A Microsoft Word .docx document, named arsenic if it were timed and dated little than 2 days aft the incident and labeled "accident effect situation," started circulating. South Korean users began submitting the document to the Google-owned VirusTotal, wherever it was flagged with CVE-2017-0199, a long-known vulnerability successful Word and WordPad.
Enlarge / The papers successful question purports to beryllium related to a deadly assemblage panic successful precocious October successful Itaewon, South Korea.
Just arsenic back successful April 2017, the document, if you click to let Word/WordPad to presumption it extracurricular the no-download "Protected View," downloads a affluent substance template from an attacker-controlled server, past grabs much HTML that looks similar Rich Text Format templates. Office and WordPad intrinsically usage Internet Explorer to render HTML successful what Microsoft describes arsenic "specially crafted files," giving attackers a mode to past bring successful assorted malware payloads. While patched that aforesaid month, the vulnerability persisted; it was 1 of the vectors exploited successful a Petya question much than a twelvemonth later.
The circumstantial vulnerability has to bash with Internet Explorer's JavaScript engine. An mistake during just-in-time optimization leads to a benignant disorder and representation writing. This peculiar exploit besides cleaned up aft itself, clearing the Internet Explorer cache and past of its presence. While Google's TAG doesn't cognize what payloads were delivered, APT73 has antecedently circulated exploits that triggered BLUELIGHT, ROKRAT, and DOLPHIN, each with a absorption connected North Korean governmental and economical interests. (North Korean hackers aren't averse to a Chrome exploit, though.)
Microsoft has patched the circumstantial exploit successful its JScript engine, but this being the 5th twelvemonth of remote-code Word doc attacks, it seems similar they'll beryllium astir for a portion longer. And North Korean actors volition beryllium anxious to enactment connected them.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US) 