Cybersecurity researchers from Google’s Threat Analysis Group (TAG) have discovered a vulnerability in the Internet Explorer (IE) browser. (Opens in a new tab) It is being exploited by a known North Korean threat actor.
in a blog post (Opens in a new tab) Detailing its findings, the group said it spotted APT37 (AKA Erebus), targeting individuals in South Korea with an armed Microsoft Word file.
The file is titled “Seoul Yongsan Itaewon Incident Response Status 221031 (06:00).docx,” which is a reference to the recent tragedy that occurred in Itaewon, Seoul, during this year’s Halloween celebration, in which at least 158 people were killed. They lost their lives, and 200 others were injured. Apparently, the attackers wanted to exploit the public and media interest in the incident.
Exploit old flaws
After analyzing the document being distributed, TAG finds that it downloads a remote formatted text file (RTF) template to the target endpoint, which then captures the remote HTML content. Microsoft may have retired Internet Explorer and replaced it with Edge, TAG said, but Office still renders HTML content using IE, a fact known by abusers since at least 2017.
Now that Office renders HTML content using IE, attackers can abuse the zero-day they discovered in IE’s JScript engine.
The team discovered the flaw in “jscript9.dll,” the JavaScript engine in Internet Explorer, that allowed threat actors to execute arbitrary code when a website was brought under their control.
Microsoft was notified on October 31, 2022, with the bug named CVE-2022-41128 three days later, and a patch released on November 8.
While the operation so far only compromises the device, TAG has yet to find out what the purpose is. The company said it had not found the final APT37 payload for this campaign, but added that the group has been seen in the past delivering malware such as Rokrat, Bluelight or Dolphin.
Via: The Verge (Opens in a new tab)