Google’s Threat Analysis Group (TAG) today revealed that a group of North Korean hackers tracked as APT37 have exploited a previously unknown vulnerability in Internet Explorer (known as zero-day) to infect South Korean targets with malware.

Google TAG became aware of this recent attack on October 31, when several VirusTotal users from South Korea uploaded a malicious Microsoft Office document named “221031 Seoul Yongsan Itaewon Accident Response Situation (06:00).docx.”

Once opened on victims’ devices, the document would deliver an unknown payload after downloading a remote Rich Text File (RTF) template that would render the HTML remotely using Internet Explorer.

Remotely loading the HTML content that delivered the exploit allows attackers to exploit zero-day IE even if the targets weren’t using it as their default web browser.

Vulnerability (tracked as CVE-2022-41128) is caused by a weakness in the JavaScript engine of Internet Explorer, which allows hackers who successfully exploit it to execute arbitrary code when rendering a maliciously crafted website.

Microsoft fixed it during Last month’s Patch Tuesdayon November 8, five days after it was assigned a CVE identifier following a TAG report received on October 31.

Malicious Office document used as decoy by APT37 hackers
Malicious Office document used as a decoy by hackers APT37 (Google TAG)

No information about malware delivered to victims’ devices

While Google TAG was unable to analyze the final malicious payload distributed by North Korean hackers on the computers of their South Korean targets, threat actors are known to deploy a wide array of malware in their attacks. .

“Although we did not pick up a final payload for this campaign, we have already observed the same group delivering a variety of implants like ROKRAT, BLUELIGHT and DOLPHIN,” said Clément Lecigne and Benoit Stevens of Google TAG.

“APT37 implants typically abuse legitimate cloud services as a C2 channel and provide functionality typical of most backdoors.”

APT37 has been active for about a decade, since at least 2012, and was previously linked to the North Korean government with great confidence by FireEye.

The threatening group is known to focus its attacks on people of interest to the North Korean regime, including dissidents, diplomats, journalists, human rights activists and government employees.



Source link