Cybersecurity researchers from Google's Threat Analysis Group (TAG) have discovered a zero-day vulnerability in the Internet Explorer (IE) browser (opens in a new tab) exploited by a known North Korean hacker.

In a blog post (opens in a new tab) detailing their findings, the group said it saw the group APT37 (also known as Erebus) targeting people in South Korea with a weaponized Microsoft Word file.

The file is titled "221031 Seoul Yongsan Itaewon Accident Response Situation (06:00).docx," which refers to the recent tragedy that took place in Itaewon, Seoul during this year's Halloween celebration, where at least 158 ​​people lost life. , with another 200 wounded. The attackers apparently wanted to take advantage of the public and media attention on the incident.

Abusing old flaws

After analyzing the delivered document, TAG discovered that it downloaded a remote Rich Text File (RTF) template to the destination endpoint, which then retrieved the remote HTML content. Microsoft may have retired Internet Explorer and replaced it with Edge, but Office still renders HTML content using IE, which is a known fact that threat actors have been abusing since at least 2017, a declared TAG.

Now that Office renders HTML content with IE, attackers can abuse the zero-day they discovered in IE's JScript engine.

The team found the flaw in "jscript9.dll", Internet Explorer's JavaScript engine, which allowed hackers to execute arbitrary code while rendering a website under their control.

Microsoft was notified on October 31, 2022, with the flaw tagged CVE-2022-41128 three days later, and a patch was released on November 8.

While the process so far only compromises the device, TAG hasn't figured out to what end. He did not find the final APT37 payload for this campaign, he said, but added that the group had been observed delivering malware such as Rokrat, Bluelight or Dolphin in the past. .

Via: The Verge (Opens in a new tab)

Share This