Threat Management, Vulnerability Management

North Korean threat group exploiting Internet Explorer zero-day

A South Korean policeman stands in front of police tape
North Korean-backed threat actors are using interest in the tragedy in South Korea where nearly 160 were crushed to death at a Halloween event on Oct. 29 to lure victims to exploit an Internet Explorer zero-day. (Photo by Chung Sung-Jun/Getty Images)

Google’s Threat Analysis Group (TAG) disclosed Dec. 7 that a North Korean government-backed threat group was exploiting an Internet Explorer zero-day in the wild.

While the Google TAG team said the North Korean group has historically targeted users in South Korea — policy makers, journalists and activists, as well as North Korean defectors — what’s interesting is the way in which APT37 used a flaw in a Windows Javascript engine used in Internet Explorer to conduct the remote code execution.

As noted by ZDnet, Microsoft stopped supporting Internet Explorer earlier this year, but the flaw can still be exploited in Microsoft Office documents because the IE engine remains integrated with Office.

Using interest in the Oct. 29 tragedy in Seoul in which nearly 160 people were crushed to death while gathering for a Halloween event as a lure, victims download a rich text file (RTF) remote template, which in turn fetches remote HTML content. 

“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” wrote TAG’s Clement Lecigne and Benoit Sevens. 

While Google was unable to recover a final payload from the North Korea campaign, the researchers said they’ve observed APT37 deliver “a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN to abuse cloud services as a C2 channel and offer capabilities typical of most backdoors.”

The TAG team reported the vulnerability, labeled CVE-2022-41128, to Microsoft on Oct. 31 and the software giant issued a patch on Nov. 8. The Google team also noted that the flaw is similar to another Internet Explorer zero-day, CVE-2021-34480, that was patched in 2021.

In October, SC Media wrote about two other Internet Explorer vulnerabilities reported by Varonis researchers that exploited an IE Event Log.

For the vulnerabilities reported by Varonis, Microsoft did not fully fix one of the flaws because more recent operating systems are unaffected. However, the default permissions for the other flaw were addressed in Microsoft’s October Patch Tuesday, which restricted access to IE Event Log on remote machines to local administrators, thereby reducing the potential for harm.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.