APT37 used Internet Explorer Zero-Day in a recent campaign

Google warns that the North Korea-linked APT37 group is exploiting Internet Explorer zero-day flaw to spread malware.

North Korea-linked APT37 group (aka ScarCruft, Reaper, and Group123) actively exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2022-41128, in attacks aimed at South Korean users.

Google Threat Analysis Group researchers discovered the zero-day vulnerability in late October 2022, it was exploited by APT37 using specially crafted documents.

The attackers attempted to capitalize on the recent Itaewon Halloween crowd crush to trick users into opening the weaponized document and infecting their systems.

“These malicious documents exploited an Internet Explorer 0-day vulnerability in the JScript engine, CVE-2022-41128. Our policy is to quickly report vulnerabilities to vendors, and within a few hours of discovering this 0-day, we reported it to Microsoft and patches were released to protect users from these attacks.” reads the post published by TAG.

The document downloaded a rich text file (RTF) template from a remote server, which in turn fetched remote HTML content. Experts pointed out that Office renders this HTML content using Internet Explorer (IE). Using this technique the attackers are able to trigger IE zero-day using weaponized Office documents since 2017 (e.g. CVE-2017-0199).

TAG determined that the APT group abused the zero-day vulnerability in the JScript engine of Internet Explorer.

The flaw is an incorrect JIT optimization issue leading to a type confusion that resides within “jscript9.dll”, the JavaScript engine of Internet Explorer. An attacker can exploit the flaw to execute arbitrary code when the victim visits an attacker-controlled website.

TAG also identified other documents that were used to exploit the same vulnerability, the experts speculate they may be part of the same campaign.

The researchers did not recover the final payload, likely the document was used to deliver one of the malware in the arsenal of APT37, such as ROKRAT, BLUELIGHT, and DOLPHIN.

TAG reported the vulnerability to Microsoft on October 31, 2022, the IT giant addressed it on November 8, 2022.

Google TAG shared indicators of compromise (IOCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Internet Explorer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.