North Korean hackers exploited Internet Explorer zero-day to spread malware
North Korean state-sponsored hackers exploited a previously unknown zero-day vulnerability in Internet Explorer to target South Korean users with malware, according to Google’s Threat Analysis Group.
Google researchers discovered first discovered the zero-day flaw on October 31 when multiple individuals uploaded a malicious Microsoft Office document to the company’s VirusTotal tool. These documents purported to be government reports related to the Itaewon tragedy, a crowd crush that occurred during Halloween festivities in the Itaewon neighborhood of Seoul. At least 158 people were killed and 196 others were injured.
“This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident,” Google TAG’s Clement Lecigne and Benoit Stevens said on Wednesday.
The malicious documents were designed to exploit a zero-day vulnerability in Internet Explorer’s Script engine, tracked as CVE-2022-41128 with a CVSS severity rating of 8.8. Once opened, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Although Internet Explorer was officially retired back in June and replaced by Microsoft Edge, Office still uses the IE engine to execute the JavaScript that enables the attack.
“This technique has been widely used to distribute IE exploits via Office files since 2017,” Lecigne and Stevens said. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser.”
The researchers added that Google reported the vulnerability to Microsoft on October 31 before it was fixed it a week later as part of Microsoft’s November 2022 Patch Tuesday security updates.
Google has attributed the activity to a North Korean-backed hacking group known as APT37, which has been active since at least 2012 and has been previously observed exploiting zero-day flaws to target South Korean users, North Korean defectors, policymakers, journalists and human rights activists. Cybersecurity company FireEye previously said it assessed with “high confidence” that APT37 activity is carried out on behalf of the North Korean government, noting that the group’s primary mission “is covert intelligence gathering in support of North Korea’s strategic military, political and economic interests.”
While Google researchers didn’t get a chance to analyze the malware APT37 hackers attempted to deploy against their targets, they note that the group is known for using a wide variety of malicious software.
“Although we did not recover a final payload for this campaign, we’ve previously observed the same group deliver a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN,” Lecigne and Stevens said. “APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors.”
Google TAG’s research comes after researchers at threat intelligence company Cisco Talos revealed that the North Korean state-sponsored Lazarus hacking group – also known as APT38 — is exploiting the Log4Shell vulnerability to target energy providers in the United States, Canada and Japan.