North Korean hackers exploited Internet Explorer zero-day to spread malware
North Korean state-sponsored hackers exploited a previously unknown zero-day vulnerability in Internet Explorer to target South Korean users with malware, according to Google’s Threat Analysis Group.
Google researchers first discovered the zero-day flaw on October 31 when multiple individuals uploaded a malicious Microsoft Office document to the company’s VirusTotal tool. These documents purported to be government reports related to the Itaewon tragedy, a crowd crush that occurred during Halloween festivities in the Itaewon neighborhood of Seoul. At least 158 people were killed and 196 others were injured.
“This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident,” Google TAG’s Clement Lecigne and Benoit Stevens said on Wednesday.
The malicious documents were designed to exploit a zero-day vulnerability in Internet Explorer’s Script engine, tracked as CVE-2022-41128 with a CVSS severity rating of 8.8. Once opened, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Although Internet Explorer was officially retired back in June and replaced by Microsoft Edge, Office still uses the IE engine to execute the JavaScript that enables the attack.
“This technique has been widely used to distribute IE exploits via Office files since 2017,” Lecigne and Stevens said. “Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser.”
The researchers added that Google reported the vulnerability to Microsoft on October 31 before it was fixed a week later as part of Microsoft’s November 2022 Patch Tuesday security updates.
Google has attributed the activity to a North Korean-backed hacking group known as APT37, which has been active since at least 2012 and has been previously observed exploiting zero-day flaws to target South Korean users, North Korean defectors, policymakers, journalists and human rights activists. Cybersecurity company FireEye previously said it assessed with “high confidence” that APT37 activity is carried out on behalf of the North…
