Cybersecurity researchers from Google’s Threat Analysis Group (TAG) discovered a zero-day vulnerability in the Internet Explorer (IE) browser (opens in a new tab) Exploited by prominent North Korean threat actors.
in a blog post (opens in a new tab) The group detailed its findings, saying it discovered the APT37 (AKA Erebus) group, which used weaponized Microsoft Word documents to target individuals in South Korea.
The document, titled “221031 Seoul Yongsan Itaewon Accident Response Situation (06:00).docx,” refers to the recent tragedy that took place in Itaewon, Seoul during this year’s Halloween celebrations, in which at least 158 people lost their lives. lives and another 200 were injured. Clearly, the attackers wanted to take advantage of the public and media attention the incident had generated.
abuse of old flaws
After analyzing the document being distributed, TAG discovered that it was downloading a Rich Text File (RTF) remote template to the target endpoint, which then fetched the remote HTML content. Microsoft may have retired Internet Explorer and replaced it with Edge, but Office still uses IE to render HTML content, a well-known fact that threat actors have been abusing since at least 2017, TAG said.
Now that Office uses IE to render HTML content, attackers could abuse a zero-day vulnerability they discovered in IE’s JScript engine.
The team discovered a vulnerability in Internet Explorer’s JavaScript engine “jscript9.dll” that could allow threat actors to execute arbitrary code when rendering websites under their control.
Microsoft was notified on October 31, 2022, the vulnerability was flagged as CVE-2022-41128 three days later, and a patch was released on November 8.
While the process has only damaged equipment so far, TAG has not discovered the end result. It said it did not find the final APT37 payload for the campaign, but added that the group had been observed in the past spreading malware such as Rokrat, Bluelight or Dolphin.
pass: edge (opens in a new tab)
