APT37 used Internet Explorer Zero-Day in a recent campaign

Google warns that the North Korea-linked APT37 group is exploiting Internet Explorer zero-day flaw to spread malware.

North Korea-linked APT37 group (aka ScarCruft, Reaper, and Group123) actively exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2022-41128, in attacks aimed at South Korean users.

Google Threat Analysis Group researchers discovered the zero-day vulnerability in late October 2022, it was exploited by APT37 using specially crafted documents.

The attackers attempted to capitalize on the recent Itaewon Halloween crowd crush to trick users into opening the weaponized document and infecting their systems.

“These malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, CVE-2022-41128. Our policy is to quickly report vulnerabilities to vendors, and within a few hours of discovering this 0-day, we reported it to Microsoft and patches were released to protect users from these attacks.” reads the post published by TAG.

The document downloaded a rich text file (RTF) template from a remote server, which in turn fetched remote HTML content. Experts pointed out that Office renders this HTML content using Internet Explorer (IE). Using this technique the attackers are able to trigger IE zero-day using weaponized Office documents since 2017 (e.g. CVE-2017-0199).

TAG determined that the APT group abused the zero-day vulnerability in the JScript engine of Internet Explorer.

The flaw is an incorrect JIT optimization issue leading to a type confusion that resides within “jscript9.dll”, the JavaScript engine of Internet Explorer. An attacker can exploit the flaw to execute arbitrary code when the victim visits an attacker-controlled website.

TAG also identified other documents that were used to exploit the same vulnerability, the experts speculate they may be part of the same campaign.

The researchers did not recover the final payload, likely the document was used to deliver one of the malware in the arsenal of APT37, such as ROKRAT, BLUELIGHT, and DOLPHIN. 

TAG reported the vulnerability to Microsoft on October 31, 2022, the IT giant addressed it on November 8, 2022.

Google TAG shared indicators of compromise (IOCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Internet Explorer)

[adrotate banner=”5″]

[adrotate banner=”13″]