Cybersecurity researchers from Google’s Threat Analysis Group (TAG) have discovered a zero-day vulnerability in the Internet Explorer (IE) browser (opens in new tab) being exploited by a well-known North Korean threat actor.

In a blog post (opens in new tab) detailing its findings, the group said it spotted the APT37 (AKA Erebus) group, targeting individuals in South Korea with a weaponized Microsoft Word file. 

The file is titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”, which is a reference to the recent tragedy that took place in Itaewon, Seoul, during this year’s Halloween celebration, where at least 158 people lost their lives, with another 200 injured. Apparently, the attackers wanted to take advantage of the public and media attention the incident got.

Abusing old flaws

After analyzing the document being distributed, TAG found it downloading a rich text file (RTF) remote template to the target endpoint, which then grabs remote HTML content. Microsoft may have retired Internet Explorer and replaced it with Edge, but Office still renders HTML content using IE, which is a known fact threat actors have been abusing since at least 2017, TAG said.

Now that Office renders HTML content with IE, the attackers can abuse the zero-day they discovered in IE’s JScript engine.

The team found the flaw in “jscript9.dll”, the JavaScript engine of Internet Explorer, which allowed threat actors to execute arbitrary code when rendering a website under their control. 

Microsoft was tipped off on October 31 2022, with the flaw labeled CVE-2022-41128 three days later, and a patch being released on November 8.

While the process so far only compromises the device, TAG did not discover to what end. It did not find the final APT37’s payload for this campaign, it said, but added that the group was observed in the past delivering malware such as Rokrat, Bluelight, or Dolphin.

Via: The Verge (opens in new tab)