As first reported by TechCrunch, North Korean hackers are behind an Internet Explorer zero-day vulnerability exploit. This is information that was first made public by Google's Threat Analysis Group.
According to reports, the North Korean actors mainly target South Korean users with the said malware.
North Korean Hackers Exploit Zero-Day Vulnerability
A vulnerability in a system or device that has been publicly published but has not yet been fixed is known as a zero-day vulnerability. A zero-day exploit is an exploit that targets a zero-day vulnerability. With the Explorer zero-day, the alleged hackers' disseminated malware by disguising it as a contentious document.
The vulnerability was discovered by Google's Threat Analysis Group (TAG) in late October. It has been determined that it has been inserted in malicious documents and used to target users in South Korea. TAG attributes this behavior to APT37, a group of North Korean government-backed actors.
CVE-2022-41128, an Internet Explorer 0-day vulnerability in the JScript engine, was used to create these malicious pages.
According to TAG, this is not the first time APT37 has targeted victims with Internet Explorer 0-day exploits. Previously, the group has targeted South Korean users, North Korean defectors, policymakers, journalists, and human rights supporters.
Read Also : Lockheed Martin Partners With 3D Printing Company for Research Expansion of Metal Additive Parts
When a user opens the vulnerability-riddled document, it downloads a rich text file (RTF) remote template that would cause Internet Explorer to render remote HTML. Microsoft Edge officially replaced Internet Explorer in June. However, Office still uses the Explorer engine to run the JavaScript that facilitates the attack.
Hackers Use Fake Itaewon Incident Documents to Lure Victims
Multiple South Korean users reported the new malware to TAG in late October via a Microsoft Office document uploaded to VirusTotal.
It was discovered that the document titled "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" refers to the tragic Halloween incident that occurred in Seoul on Oct. 29. This bait document takes advantage of public interest in the accident, particularly among South Korean citizens.
As Clement Lecigne and Benoit Sevens of the Google TAG team said, this approach has been used since 2017 to distribute IE exploits via Office files. Using this vector to deliver IE exploits does not require the victim to use Internet Explorer as its primary browser or to chain the exploit with an EPM sandbox escape.
After an examination, the Google team found that the attackers had used a 0-day vulnerability in Internet Explorer's JScript engine. On Oct. 31, TAG notified Microsoft of the issue, and on Nov. 3, CVE-2022-41128 was assigned. It was five days later when Microsoft finally patched the vulnerability.
In August 2021, the same group reportedly attacked using the same technique. Volexity says in a blog that it has investigated a strategic web compromise of a known South Korean online newspaper that reports about North Korea. Volexity discovered suspicious code being loaded to malicious subdomains via the news website.
Stay posted here at Tech Times.